I have a site hosted in AWS China (https://app.bsdeducation.cn) which is periodically encountering SSL errors, specifically ERR_SSL_PROTOCOL_ERROR. This happens when the front-end application makes HTTPS requests to various back-end services. The front-end certificate was created with Let's Encrypt and the front-end is served via CloudFront. The back-end services (e.g. Elastic Beanstalk or API Gateway) use a different subdomain (e.g. api-r79.bsdeducation.cn) and use a different certificate created with Amazon Certificate Manager.
This is not a browser or machine specific issue that can be resolved by clearing the browser cache, fixing the date & time, disabling QUIC protocol or changing antivirus settings.
Some observations about this problem:
- it is intermittent i.e. for hours there may be no problem
- refreshing the page can help work around the issue
- it has been observed for users inside mainland China as well as users outside of China
- non-China users accessing the site using a VPN into China still observe the issue
- it occurs for most students in the class at the same time i.e. it's not a consistent problem isolated to specific machines
- when the problem occurs on someone's machine, it does not affect other HTTPS sites, even other Chinese sites
Unfortunately AWS China CloudFront does not yet support Certificate Manager certificates, so I can't test out what happens when the same certificate is used for front/back end. Anyway, I can't see why the front-end certificate should have any bearing on requests to back-end services.
Testing certificates individually I see no problems with them.
Does anyone have any insight into what could be causing this problem? Could this somehow be caused by the great firewall of China? We have an ICP License and our services are all registered with ICP Recordal.
Thank you.