i searched your forum already but my question is not completely answered. I am wondering if invoicing us the certificate itself with a yearly cost is ok.
Our hosting provider invoices us beside the working time to create and implement the certificate as well yearly costs for the certificate itself.
All other questions into this topic was finally answered that the provider invoices the service to implement or generate the certificate, but in my case its defenetely as i described above.
Let's take a more abstract example.
A cup of water is free... but it is across the street from where you are seated.
Someone offers to bring you a cup of that "free water" for a price.
[they would have to cross the street twice - without spilling your water]
Does that sound like highway robbery or payment for services rendered?
I mean, we once had a wordpress site on which we expected a lot of traffic, and didn't have any money to invest in the necessary infrastructure (and fuck cloudflare, too).
So, what did we do? We installed a plugin to make a static site out of the wordpress site, and we pushed the whole thing on github pages: our site is now being hosted on Microsoft's cdn, and with a proper Let's Encrypt certificate we didn't even have to ask for. Good luck abusing a static website on that hosting.
And wordpress... It could've ran on a laptop (it was on a cheap VPS, we weren't that cheap).
I understand the difference between the service to issue the certificate, embed it with the services we are using etc. And in our case we got an invoice for this twice with 3.5hours working time and on top with 100€ each Year for 2 certificates which are running 2 domains but on the same host. So actually its easy to just extend the first certificate by a second domain. But we got invoiced the extrem high service of 7 hours and on top yearly for 2 certificates. I dont feel thats a good trustful business they are doing. Unfortunately if there is no rule which dont allow to resell the certificates its not a point to get out of the contract our boss did with this company.
The issue here isn't whether they should resell the certificates (they're selling the certificate provisioning, which is not the certificate itself - it's the service of getting it and installing it for you), the issue is that they charged a lot of money for the work and said it took them 7 hrs to do, which is highly unlikely and needs proof.
If you need to get out of the contract just ask them for a simple breakdown of the work required and approximate time spent for each step - perhaps there really is a reason. If they can't provide a breakdown of the work (or they do but it's inflated) then the work did not demonstrably take place as stated or was not performed to a reasonable standard - pretty easy to cancel on the ground of incompetence (non-performance) or fraudulent time keeping. Alternatively the contract will have standard terms for cancellation and that will include non-payment by you.
