421 Misdirected Request
This is caused by the following sequence of events:
- The server and client both support and use HTTP/2.
- The client requests a page at
foo.example.com
. - During TLS negotiation, the server presents a certificate which is valid for both
foo.example.com
andbar.example.com
(and the client accepts it). This could be done with a wildcard certificate or a SAN certificate. - The client reuses the connection to make a request for
bar.example.com
. - The server is unable or unwilling to support cross-domain connection reuse (for example because you configured their SSL differently and Apache wants to force a TLS renegotiation), and serves HTTP 421.
- The client does not automatically retry with a new connection (see for example Chrome bug #546991, now fixed). The relevant RfC says that the client MAY retry, not that it SHOULD or MUST. Failing to retry is not particularly user-friendly, but might be desirable for a debugging tool or HTTP library.
Event #6 is out of your control, but depending on the server's software, #5 may be fixable. Consult your server's HTTP/2 documentation for more information on how and when it sends HTTP 421. Alternatively, you could issue separate certificates for each domain, but that creates more administrative overhead and may not be worth it. You could also turn off HTTP/2 entirely, but that's probably overkill in most cases.