Fixing “421 Misdirected Request” for Plesk Sites on Ubuntu 22.04 After Apache Update

Fixing “421 Misdirected Request” for Plesk Sites on Ubuntu 22.04 After Apache Update

/Posted by / 57
plesk service provider

Fix the frustrating “421 Misdirected Request” error that appears on all your Plesk-managed HTTPS sites after updating Apache on Ubuntu 22.04. This in-depth guide explains how recent CVE patches changed Apache’s SNI requirements, why nginx’s default proxy settings break SSL vhost matching, and how to permanently restore access by enabling proxy_ssl_server_name and proxy_ssl_name in a custom nginx include. You’ll also learn how to automate this fix across updates, monitor logs for SSL handshake issues, and follow best practices to keep your sites secure and online without interruption.

Quick Navigation

1. Symptoms 2. Root Cause 3. Step-by-Step Resolution 4. Why the Fix Works 5. Automating the Workaround 6. Best Practices & Tips

1. Symptoms

  • All HTTPS sites on Plesk for Ubuntu 22.04 begin returning 421 Misdirected Request.
  • Browser shows “The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.”
  • Apache error log:
AH02032: Hostname default-203_0_113_2 (default host as no SNI was provided) and hostname www.example.com provided via HTTP have no compatible SSL setup

2. Root Cause

In a recent Ubuntu Apache update (2.4.58-1ubuntu8.7), security patches tightened how Apache handles SNI. By default, nginx’s proxy_ssl_server_name is off, so no SNI header is sent when proxying HTTPS. Apache then falls back to the default vhost, causing the misdirected request.

3. Step-by-Step Resolution

3.1 SSH into Your Server

ssh root@your-server-ip

3.2 Create the nginx Fix File

Add these lines to forward the SNI header:

cat <<'EOF' > /etc/nginx/conf.d/99-proxy-sni.conf
proxy_ssl_server_name on;
proxy_ssl_name $host;
EOF

3.3 Reload nginx

service nginx restart

3.4 Verify Apache Connectivity

Watch Apache’s error log:

tail -f /var/log/apache2/error.log

Then test with curl:

curl -Ik https://www.your-domain.com/

4. Why the Fix Works

  • proxy_ssl_server_name on; tells nginx to include SNI in the SSL handshake.
  • proxy_ssl_name $host; ensures the handshake uses the requested hostname.

With SNI enabled, Apache selects the correct SSL vhost and certificate, eliminating the 421 error.

5. Automating the Workaround

cat <<'EOF' > /usr/local/sbin/plesk-nginx-sni-fix.sh
#!/bin/bash
echo -e "proxy_ssl_server_name on;\nproxy_ssl_name \$host;" > /etc/nginx/conf.d/99-proxy-sni.conf
service nginx reload
EOF
chmod +x /usr/local/sbin/plesk-nginx-sni-fix.sh
ln -s /usr/local/sbin/plesk-nginx-sni-fix.sh /etc/cron.daily/plesk-nginx-sni-fix

6. Best Practices & Tips

  • Disable auto-OS updates during peak hours in Plesk to avoid surprises.
  • Monitor logs with journalctl -f and tail -f /var/log/nginx/error.log.
  • Staging first: clone and test before production updates.
  • Snapshots: backup your VM/instance before critical package changes.
  • Stay informed: follow the Plesk KB for official patches.
Pro Tip: Use Ansible or Puppet for fleet-wide rollout and verification of the SNI fix.

Need Expert Help?

We’re here to support you and manage your tasks.

CONTACT US
Tags: ,

Related posts