Client library requests return 421 in AEM as a Cloud Service when CDN origin override applies only to root paths

In AEMaaCS, a customer-managed CDN serve the home page correctly but return 421 errors for client library requests when the origin override is applied only to the root path. This happens when the CDN does not send the required Host and SNI values on all paths, so requests such as /etc.clientlibs/... no longer match the expected TLS certificate routing. The result is a misdirected request error even though the root URL appears to work. Apply the CDN origin override to all required paths, then validate the affected asset requests with curl and x-aem-debug.

Description description

Environment

  • Adobe Experience Manager as a Cloud Service
  • Customer-managed CDN

Issue/Symptoms

  • The site root loads, but client library files under /etc.clientlibs/... fail.
  • Requests return 421 Misdirected Request.
  • The response includes a message similar to Requested host does not match any Subject Alternative Names (SANs) on TLS certificate.
  • CSS or JavaScript files fail to load even though the main page appears reachable.

Cause

The customer-managed CDN is not applying the correct origin, Host, or SNI override to all paths that must be forwarded to AEM as a Cloud Service. When the override is limited to the root path, requests for assets such as /etc.clientlibs/... are forwarded with incorrect routing values and Fastly rejects them with a 421 response.

Resolution resolution

To resolve 421 errors for client library requests when CDN origin override applies only to root paths, follow these steps:

  1. Review the customer-managed CDN configuration for origin, Host, and SNI overrides.
  2. Update the rules so the required override applies to all paths that must be served through AEMaaCS, not only to the root path.
  3. Check that asset paths such as /etc.clientlibs/... and confirm they are covered by the same routing rule set.
  4. Check rule ordering and priority to prevent a narrower root-path rule from blocking the override for asset requests.
  5. Retest the affected CSS or JavaScript file paths with curl and confirm they no longer return 421.
  6. Open the site in a browser and verify that client libraries load correctly and the page renders without missing styles or scripts.
  7. If the direct publish endpoint also fails, or if the 421 response continues after correcting the CDN path rules, contact Adobe Support and provide the curl -sv output and the CDN rule configuration for the affected paths.
recommendation-more-help
experience-cloud-kcs-help-kbarticles