That's the usual cause of protocol errors. The other one is unable to get a common cipher but that seems unlikely on a modern machine. Maybe try the connection with openssl and see if you can get some details.

Looks like CloudFlare (1.1.1.1) is giving the wrong answers for the DNS lookup.

How could I not think that! Reinforcement of the "it's always DNS" meme.

Works for me too. Have you modified your trust store and removed signers? It's signed by the Amazon Root CA, so it's a short chain, but if you removed them then it would show as invalid.

Looks like CloudFlare (1.1.1.1) is giving the wrong answers for the DNS lookup.