Cannot establish the TLS connection using some networks in China


#1

Hi, we used let’s encrypt (LE) as our SSL solution. It works really well in countries like Australia, U.S. and others. Users from those countries are able to open our sites without any issues. However, our users inside China can’t open the site, even after we moved our server onto Chinese cloud providers, they still can’t open the site in HTTPS. HTTP worked well both inside and outside China. After some diagnosis, we found that the ssl handshake between our server in china with let’s encrypt failed.

Wondering if this is related to network issues? If so, are there any work-around for our case, e.g. any LE servers in other regions that we can use? Any suggestions are highly appreciated. thanks!

My domain is: www.888english.cn

I ran this command:

It produced this output:

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): Linux CentOS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

From your visitors point of view, the only connection needed between your visitors and Let’s Encrypt is for OCSP (to check the revocation of your certificate). Could you try to use OCSP stapling on your server?


#3

There was a previous report of similar issues in China:

The website I used to test OCSP connectivity from China in that thread isn’t reporting any issues today, however.


#4

Seems the issue has disappeared by itself, not sure if its to do with the network routing in China.

Blockquote Could you try to use OCSP stapling on your server?

Yes, we have enabled OCSP stapling since the site was launched. The issue has disappeared yesterday. Hope it wont occur again.

Thanks for your help!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.