Apache is still throwing 421s after update to 2.4.65
Seems whatever issue was caused previously continues to persist now in 2.4.65.
NAGIOS, using check_http, now sees 421's across all our cPanel hosts where as we used to see 200's just fine.
Below domain.tld is the servers' hostname, so SNI shouldn't be an issue
[~] /usr/local/libexec/nagios/check_http -H domain.tld -S
HTTP WARNING: HTTP/1.1 421 Misdirected Request
...to get around this, we're having to explicitly use SNI:
[~] /usr/local/libexec/nagios/check_http -H domain.tld --sni -S
HTTP OK: HTTP/1.1 200 OK
If I check with openssl, I get the same results (domain.tld and 1.2.3.4 are, again, the hostname and the main IP of the server):
[~] echo -e "HEAD / HTTP/1.1\r\nHost: domain.tld\r\nConnection: close\r\n\r\n" | openssl s_client -connect 1.2.3.4:443 -quiet 2>/dev/null | grep HTTP | awk '{print $2}'
421
Something is not correct with 2.4.65 and we have no proxies or NGINX involved (pursuant to the "Update about the Apache 421 error situation" article)
-
Hey there! Any chance you could create a ticket on this one? I actually haven't had *any* complaints with the latest update so we'd be interested in taking a look.
0 -
In looking at this more, I'm presuming that as part of resolving the CVE's involved and therefore stricter internal SNI checking during the TLS handshake this may just be the new normal and we'll have to make some adjustments.
Any input from the cPanel team would be appreciate when possible.
Thank you =)
0 -
That is exactly the case - if there's any outside tools they'll have to be adjusted to handle the strict SNI checks.
0 -
cPRex before opening a ticket, a quick check against the tests I gave above with whatever domains are at the teams disposal would be great. If this is the expected behavior due to much stricter SNI checking in 2.4.65 then we'll simply push updated NAGIOS checks knowing its' apropos - else, I'm happy to open a ticket.
Note that everything is "working fine" in terms site loads, was simply monitoring that blew up.
0 -
cPRex sounds good, we will do that, thank you.
0 -
You're welcome!
0 -
We had exactly the same problem too :(
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!* Open a ticket
EmergencySupport - Professional Server Management and One-time Services0 -
Yeah the 421 issue irritatingly returned and the only thing that "fixed" it for now was to downgrade
dnf downgrade ea-apache24
No other solution I found on the WHM or Cpanel forums had any effect at all. Only downgrading made it possible to connect for those that where unable again.
Not every user or application in the world can be upgraded to fit this update, instead it simply blocks 50% of the world from accessing your servers sites. There must be a better solution than downgrading every time there is an update.
0 -
Richard Brandson - are you using CloudLinux?
0 -
cPRex yes that is correct!
0 -
It would be best to follow along in the main thread at https://support.cpanel.net/hc/en-us/community/posts/33554028389655?page=4 as CloudLinux is experiencing issues with this outside of cPanel. I'll be posting an update there soon.
1 -
Thanks cPRex I will look into that!
I appreciate it, it is indeed a better thread to follow in my case.
0
Please sign in to leave a comment.
Comments
12 comments