SAN does not play well w/apache + HTTP/2.0


#1

not really a question … just sharing some experience that others might run into. if you:

  • run an apache server (last checked version 2.4.18)
  • use mod_h2 for HTTP/2.0
  • have multiple vhosts (i.e. <VirtualHost>, not ServerAlias in a single <VirtualHost>)
  • want to enable SSL for all of them

then you should be aware that using SAN does not play well with clients:
https://icing.github.io/mod_h2/howto.html#h2-restrictions
if your server sometimes produces HTTP 421 errors, you’re probably hitting this problem.

you can use SAN as long as all the domains belong to the same <VirtualHost> instance (i.e. show up in ServerName/ServerAlias). however, each distinct <VirtualHost> block needs a sep certificate.

as an example, i have:

which means i (currently) need 3 certificates so that clients do not get confuse the server. once apache is fixed though, i should be able to get a single cert and have each vhost use it.


#2

Well, the site also says “All will work (…)”. The client just connects again. The user should be totally oblivious to this, no error in his face what so ever :smile: So… How big is the impact? Should one even care about the HTTP 421 errors? What are the “efficiency” implications, as thats what they are saying: “All will work, however some efficiency gets lost.”


#3

Chrome does not retry. when you visit bugs.example.org and then open a tab and try to go to www.example.com, you just get the apache HTTP 421 error page and nothing else. the user has no reasonable recourse.