🔧 Fixing Cloudflare “421 Misdirected Request” on AlmaLinux/CloudLinux with cPanel & Apache
If you’re seeing this:
421 Misdirected Request
The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.
This happens when Cloudflare (in Full or Full (Strict) mode) hits an Apache version that can’t handle SNI properly behind a proxy — even if SSL is valid via Let’s Encrypt or AutoSSL.
✅ Affected Environments
- AlmaLinux 9 with cPanel
- CloudLinux 9 with cPanel
- Apache only (no NGINX)
- Sites proxied through Cloudflare in Strict, Full, or Full (Strict) mode
🛠️ How to Fix the 421 Misdirected Request Error
You must upgrade Apache to version 2.4.64 or newer, which includes a patch to resolve the SNI mismatch.
🔧 Step-by-Step for AlmaLinux/CloudLinux 9
# 1. Temporarily enable the EasyApache testing repo
dnf config-manager --enable cl-ea4-testing
# 2. Upgrade Apache to latest testing build
dnf update ea-apache24* --enablerepo=cl-ea4-testing
# 3. Restart Apache to apply changes
systemctl restart httpd
# 4. Disable the testing repo again to avoid future unintended updates
dnf config-manager --disable cl-ea4-testing
⚠️ Only leave the testing repo enabled during the upgrade. Never leave it active on production.
🔍 Confirm Apache Version
httpd -v
Should return:
Server version: Apache/2.4.64 (cPanel)
✅ Adjust Cloudflare SSL Mode
Log into your Cloudflare dashboard:
- Go to SSL/TLS > Overview
- Set your domain’s SSL mode to Full (Strict)
🔐 SSL Modes Explained
- Strict – Not Recommended unless you pay for Enterprise.
- Full (Strict) — 🔒✅ RECOMMENDED
Valid SSL at origin + full encryption. Prevents MITM. - Full — 🔒⚠️
Encrypts but doesn’t validate origin cert — allows expired/self-signed certs. - Flexible — 🔓❌
Cloudflare connects to your server over HTTP. Breaks AutoSSL and should not be used. - Off — 🔓🚫
Completely disables SSL — do not use in production.
💬 Need Help?
If you’re stuck or just want it fixed for you, reach out:
