Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Let's Encrypt produces Apache 421 Errors

Discussion in 'Security' started by crnm, Sep 28, 2018.

  1. crnm

    crnm Registered

    Joined:
    Sep 27, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    germany
    cPanel Access Level:
    Website Owner
    Hi,

    my hosting provider just opened a ticket w/ cpanel about autoSSL producing Apache 421 Errors at http/2 connections by combining different subdomain vhosts into one Let's Encrypt certificate with serveral FQDNs.

    I'm just jumping in here to help with further explanations about what is going on and possible reasons for this problem.

    HTTP/2 allows to reuse an already established ssl connection for different hosts if the ip address and the san certificate are the same.

    Apache 2.4.x reacts with a "421 misdirected request" http error if the vhosts for those different hosts differ in their setup regarding ssl.

    AutoSSL in Let's Encrypt mode tries to combine different hosts (subdomains) into one certificate, listing different subs as FQDNs or SANs in the certificate.

    By doing so, a ssl connection to a.example.com is under HTTP/2 rules reuseable for b.example.com, if a.example.com and b.example.com share the same ip address and the same san certificate.

    If apache detects in such a reused connection, that the vhost settings for b.example.com regarding ssl differ from the vhost settings for a.example.com, it throws a "421 misdirected request" error.

    It looks as if autossl sets up different ssl vhosts settings while using the same san let's encrypt certificate - or - if the ssl setup in those vhosts is the same - apache has an error in wrongly seeing different document roots in ssl vhosts as different ssl setup settings.

    Either way, as long as autoSSL combines different subs into one Let's Encrypt san certificate, the apache 2.4. will throw 421 errors.

    I just posted this here so that others have a chance of finding about this error and for you - the cpanel team - to get direct information about this problem and having the chance to ask me directly about this.

    Thanks a lot

    Chris
     
  2. crnm

    crnm Registered

    Joined:
    Sep 27, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    germany
    cPanel Access Level:
    Website Owner
    I just read in this thread here: Path to domain specific SSL certificate that the SSL files are stored at
    Code:
    /var/cpanel/ssl/apache_tls/$domain.tld/
    
    If a let's encrypt san certificate with a.example.com, b.example.com (and www.a.example.com, www.b.example.com) is issued via autossl, will it store this certificate twice (or four times) under

    Code:
    /var/cpanel/ssl/apache_tls/a.example.com/
    
    and

    Code:
    /var/cpanel/ssl/apache_tls/b.example.com/
    
    and link those files in the vhost*443 setup accordingly?

    Or is a san certificate only saved under one path

    Code:
    /var/cpanel/ssl/apache_tls/a.example.com/
    
    and this one referenced in the vhost*443 for b.example.com as well?
     
  3. cPanelFelipe

    cPanelFelipe Member Staff Member

    Joined:
    Apr 10, 2013
    Messages:
    13
    Likes Received:
    10
    Trophy Points:
    78
    Hello!

    Have you considered switching to the default AutoSSL provider rather than Let’s Encrypt? The default provider doesn’t combine different vhosts’ domains onto single certificates and has a much higher per-certificate domain count limit.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice