Let's Encrypt produces Apache 421 Errors
Hi,
my hosting provider just opened a ticket w/ cpanel about autoSSL producing Apache 421 Errors at http/2 connections by combining different subdomain vhosts into one Let's Encrypt certificate with serveral FQDNs.
I'm just jumping in here to help with further explanations about what is going on and possible reasons for this problem.
HTTP/2 allows to reuse an already established ssl connection for different hosts if the ip address and the san certificate are the same.
Apache 2.4.x reacts with a "421 misdirected request" http error if the vhosts for those different hosts differ in their setup regarding ssl.
AutoSSL in Let's Encrypt mode tries to combine different hosts (subdomains) into one certificate, listing different subs as FQDNs or SANs in the certificate.
By doing so, a ssl connection to a.example.com is under HTTP/2 rules reuseable for b.example.com, if a.example.com and b.example.com share the same ip address and the same san certificate.
If apache detects in such a reused connection, that the vhost settings for b.example.com regarding ssl differ from the vhost settings for a.example.com, it throws a "421 misdirected request" error.
It looks as if autossl sets up different ssl vhosts settings while using the same san let's encrypt certificate - or - if the ssl setup in those vhosts is the same - apache has an error in wrongly seeing different document roots in ssl vhosts as different ssl setup settings.
Either way, as long as autoSSL combines different subs into one Let's Encrypt san certificate, the apache 2.4. will throw 421 errors.
I just posted this here so that others have a chance of finding about this error and for you - the cpanel team - to get direct information about this problem and having the chance to ask me directly about this.
Thanks a lot
Chris
-
I just read in this thread here: that the SSL files are stored at /var/cpanel/ssl/apache_tls/$domain.tld/
If a let's encrypt san certificate with a.example.com, b.example.com (and , ) is issued via autossl, will it store this certificate twice (or four times) under/var/cpanel/ssl/apache_tls/a.example.com/
and/var/cpanel/ssl/apache_tls/b.example.com/
and link those files in the vhost*443 setup accordingly? Or is a san certificate only saved under one path/var/cpanel/ssl/apache_tls/a.example.com/
and this one referenced in the vhost*443 for b.example.com as well?0 -
Hello! Have you considered switching to the default AutoSSL provider rather than Let"s Encrypt? The default provider doesn"t combine different vhosts" domains onto single certificates and has a much higher per-certificate domain count limit. 0
Please sign in to leave a comment.
Comments
2 comments