🔧 Fixing Cloudflare “421 Misdirected Request” on AlmaLinux/CloudLinux with cPanel & Apache
If you’re seeing this:
421 Misdirected Request
The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.
This happens when Cloudflare (in Full or Full (Strict) mode) hits an Apache version that can’t handle SNI properly behind a proxy — even if SSL is valid via Let’s Encrypt or AutoSSL.
✅ Affected Environments
- AlmaLinux 9 with cPanel
- CloudLinux 9 with cPanel
- Apache only (no NGINX)
- Sites proxied through Cloudflare in Strict, Full, or Full (Strict) mode
🛠️ How to Fix the 421 Misdirected Request Error
You must upgrade Apache to version 2.4.64 or newer, which includes a patch to resolve the SNI mismatch.
🔧 Step-by-Step for AlmaLinux/CloudLinux 9
# 1. Temporarily enable the EasyApache testing repo
dnf config-manager --enable cl-ea4-testing
# 2. Upgrade Apache to latest testing build
dnf update ea-apache24* --enablerepo=cl-ea4-testing
# 3. Restart Apache to apply changes
systemctl restart httpd
# 4. Disable the testing repo again to avoid future unintended updates
dnf config-manager --disable cl-ea4-testing
⚠️ Only leave the testing repo enabled during the upgrade. Never leave it active on production.
🔍 Confirm Apache Version
httpd -v
Should return:
Server version: Apache/2.4.64 (cPanel)
✅ Adjust Cloudflare SSL Mode
Log into your Cloudflare dashboard:
- Go to SSL/TLS > Overview
- Set your domain’s SSL mode to Full (Strict)
🔐 SSL Modes Explained
- Strict – Not Recommended unless you pay for Enterprise.
- Full (Strict) — 🔒✅ RECOMMENDED
Valid SSL at origin + full encryption. Prevents MITM. - Full — 🔒⚠️
Encrypts but doesn’t validate origin cert — allows expired/self-signed certs. - Flexible — 🔓❌
Cloudflare connects to your server over HTTP. Breaks AutoSSL and should not be used. - Off — 🔓🚫
Completely disables SSL — do not use in production.
💬 Need Help?
If you’re stuck or just want it fixed for you, reach out:
📩 https://help4network.com/contact.php
2026 421 troubleshooting refresh
A 421 Misdirected Request on a Cloudflare-proxied cPanel site usually means the public request reached a TLS or virtual-host path that did not match the expected hostname. Before changing Apache, CloudLinux, or SSL settings, capture the affected hostname, Cloudflare SSL mode, certificate issuer, Apache vhost mapping, ServerAlias entries, and whether the problem appears only through the proxy.
Back up Apache templates, cPanel userdata, and any manual include files before editing. Test the origin and Cloudflare edge separately, then verify the final page, canonical URL, SSL certificate chain, wp-admin, forms, and cache state from a public connection.
Related Fix I.T. Phill reading
- Apache 421 and Cloudflare/cPanel SSL checklist
- Set up DNS in Cloudflare for WordPress
- Check DNS propagation before launch


