You first need to understand the paid service provided to you by Sucuri.
Which might be cloud based (like CloudFlare CDN) or locally installed on your server.
In either case, they seem to be doing inline HTTPS inspection.
Which means they terminate the SSL the client connects to.
So they need to maintain that certificate.
Glad to hear that they use LE for such.
But back to your questions:
-
Can someone explain how does it work when using SSL with firewall?
That depends on what the firewall is doing with the SSL connections and where the firewall is located.
If it is outside your system (in a cloud), then there is a portion of the client connection that is unencrypted (between your server and the Sucuri firewall). There are ways to address that but a self-signed cert is not ideal. -
Where should i install the CA on the hosting server or securi?
A CA (Certificate Authority) should not be installed by a client - unless you are going to maintain a self-signing cert system (again, not ideal).
Here you may have meant to ask: Where should I install the certificate, on the hosting server or Sucuri?
If so, then I would say both should be secured (unless both are in the same physical box). -
What are the two options Sucuri suggested?
A. You could have your hosting provider install one for you on the site and our system could forward the validation to the server.
This sounds like what you would need; to generate the cert and ease the renewal process thereafter.
B. A self signing certificate which can also be done directly in the hosting account.
True, but again, not ideal. -
Which one should I use or is there a different way to do it?
Without any additional information, I’d say those are basically the two ways to do it:
A. Install LE cert on your hosting server (via forwarded Auth or via DNS Auth).
B. Self-signed cert. -
What would you do in this situation?
A. Get a picture of how things are connected and how service is being provided.
B. Understand where things are encrypted and how.
C. Understand where they are not, if any.
D. Decide if any of those unencrypted/insecure areas need to be encrypted/secured.
E. If needed, look for options that can meet those security needs.
F. Choose an option and go forward from there.
Without even a picture, I can only guess.
And that would most likely not do you any justice.