Symptoms
When accessing my domain, I sometimes see a 421 Misdirected Request. The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.
Description
When accessing a site, often from Safari, the site will redirect and display a 421, or a 421 and a Misdirected Request message. The following from Apache's http2 documentation applies:
Multiple Hosts and Misdirected Requests
Many sites use the same TLS certificate for multiple virtual hosts.
The certificate either has a wildcard name, such as '*.example.org' or carries several
alternate names. Browsers using HTTP/2 will recognize that and reuse an already opened
connection for such hosts.
While this is great for performance, it comes at a price: such vhosts need more care
in their configuration. The problem is that you will have multiple requests for
multiple hosts on the same TLS connection. And that makes renegotiation impossible,
in face the HTTP/2 standard forbids it.
So, if you have several virtual hosts using the same certificate and want to use
HTTP/2 for them, you need to make sure that all vhosts have exactly the same SSL
configuration. You need the same protocol, ciphers and settings for client
verification.
If you mix things, Apache httpd will detect it and return a special response code,
421 Misdirected Request, to the client.
Workaround
Remove the wild card certificate and install a new SSL for the domain, or remove http2.