SAN does not play well w/apache + HTTP/2.0


not really a question … just sharing some experience that others might run into. if you:

  • run an apache server (last checked version 2.4.18)
  • use mod_h2 for HTTP/2.0
  • have multiple vhosts (i.e. <VirtualHost>, not ServerAlias in a single <VirtualHost>)
  • want to enable SSL for all of them

then you should be aware that using SAN does not play well with clients:
if your server sometimes produces HTTP 421 errors, you’re probably hitting this problem.

you can use SAN as long as all the domains belong to the same <VirtualHost> instance (i.e. show up in ServerName/ServerAlias). however, each distinct <VirtualHost> block needs a sep certificate.

as an example, i have:

which means i (currently) need 3 certificates so that clients do not get confuse the server. once apache is fixed though, i should be able to get a single cert and have each vhost use it.


Well, the site also says “All will work (…)”. The client just connects again. The user should be totally oblivious to this, no error in his face what so ever :smile: So… How big is the impact? Should one even care about the HTTP 421 errors? What are the “efficiency” implications, as thats what they are saying: “All will work, however some efficiency gets lost.”


Chrome does not retry. when you visit and then open a tab and try to go to, you just get the apache HTTP 421 error page and nothing else. the user has no reasonable recourse.