The (very poorly maintained) hosting company we are currently stuck using (at least for another 1-2 years), doesn’t seem to support/assist/allow or even understand the concept of “free SSL certs”. They sell them for $170 themselves. We in the world would they allow us to obtain/install free ones?
I thought we could install one anyway using the “manual method” of Lets Encrypt. How is the very long, complex, impossible to understand “manual method” actually “manual”? It forces us to install plug-ins and download/install custom software.
Manual means manual. We want to MANUALLY just create a folder. MANUALLY just install the certificate, etc. 100% everything must be manual.
Our hosting company is using an extremely old version of a hosting panel that doesn’t even exist any more: WebSitePanel.
They will NEVER be upgrading it, nor changing it.
Contractually, we have to stay at this poorly run hosting company for another 1-2 years.
We also looked into the FULLY manual method over at SslForFree. It would be fully doable except for 1 thing. They demand we create file folders that contain forbidden characters. (Starting with “period”.) So that’s not possible either.
If that's the only problem you had with sslforfree, you might try https://zerossl.com/ which is similar, but also supports a DNS-based challenge as an alternative (disclaimer: I'm just reading their documentation, haven't used that site myself).
Unfortunately, if your hosting provider does not support providing your own certificates or somehow prevents the domain ownership challenge from passing, there’s nothing that Let’s Encrypt can do. It’s simply not technically possible.
Let’s Encrypt removed the financial barrier to getting a publicly-trusted certificate. It’s still up to hosting companies and website owners to make use of that. What Let’s Encrypt can do is make this process both as secure and simple as possible (which, of course, usually involves trade-offs in one direction or the other).
Ultimately, it’ll be up to the market to solve this. Browsers have already started showing warnings for sites that do not use HTTPS if they ask for sensitive information. At some point, all sites that do not use HTTPS will show such warnings. All that is increasing the pressure on hosting companies to simply provide HTTPS as part of their regular hosting packages (which many of them have started doing already), and at some point site owners will just stop using providers which refuse to change. This might not help you in your situation today, but it will help somewhere down the line.
Because providing TLS for little or no fee is morally right, practical to do, their competitors do it, and their customers will leave if they don't.
They are not in a strong position to do the wrong thing, because hosting companies are a dime a dozen and it's (relatively) easy to switch.
You should give the private key to the hosting company.
It's critical to security to keep the private key private and secure. But it needs to be installed on the servers using it. So, if your hosting company operates the relevant servers, they need to possess and install the key.
There are many hosting providers that not only allow you to use Let's Encrypt certificates but even go to some trouble to make it easy for you. I'm guessing that you would already have switched to one of them yourself, if it wasn't for that unfortunate contract. But contracts only last so long, and eventually they'll start losing customers.
As an aside, I think that the momentum is already rolling for SSL certificates to become free – that is to say, issued by Foundation-supported entities such as this one – in order that more and more of the content now being carried through the Internet will be encrypted “as a matter of course.”
The present monopolies have no leg to stand on. As it becomes more and more clear that the companies who merely issue Domain Validation (DV) certificates, while charging you maybe hundreds of dollars each for the privilege, actually aren’t really doing anything to earn that money, I predict that their market/monopoly will evaporate. Then, as the present sometimes-punitive cost blockades fall by the wayside, we will indeed achieve a much more widely-secured Internet, which to me is a very important goal.
(To me, it is indeed an [inter-]national security issue: to reduce the intrinsic vulnerability of every civilian communication while also increasing their accountability. Each message might seem to be a very small thing, but with billions of such messages passing back-and-forth every day, “it adds up.”)