I am hosted on ipower, which uses cPanel and Apache. After getting a Let’s Encrypt cert and key using their service,I tried to find them to DL use on my remote box, located in my office, and which hosts several subdomains.
The certs which the service obtained were patterned example.com and *.example.com. I contacted customer service, and was told the certs don’t exist, which is patently incorrect, since they must reside on their servers to use SSL. Since it’s a given they exist,
(1) Who owns them? i.e., cert, key, CA_bundle?
(2) If they’re my property, but are needed for the smooth functioning of the site, is it legal for ipower to appropriate them without allowing me access? (Their TOS says probably)
(3) What are my rights? What is my recourse?
that's a problem / question between that service and his customers. There is no general answer.
Your domain name is required to check such things. May be there isn't a wildcard certificate.
Typically, it's the wrong way to export certificates to a customer, if that customer doesn't have the know how to work with these things (private key). So if you use their service, it's ok if you can't have the certificates.
Use your own root server, then you can do such things. But then you have much more things to do.
No comment on legaility, but it's quite sensible for them to refuse.
The secrecy of the private key is crucial in order for their SSL certificate (for your domain) to do its job properly. If they have to share it with you somehow (email, whatever), that creates the risk of a private key compromise, which can completely subvert the functional security of your certificate.
That said, I think the premise of your question needs addressing. It's not like they are holding something unique and irreplaceable hostage. Just make a second certificate, separate to the one iPage uses. That's a completely normal thing to do if your domain is hosted in two different places (e.g. their hosting and your office). They can exist at the same time without conflict.
Thanks for your quick reply, Juergen. I really appreciate it! There is
a wildcard certificate, because I can view it in my browser. I just
can’t get the .pem/.crt file. I have two subdomains on the ipower host,
and three more subdomains which I’m serving from my Ubuntu/Apache server
in my living room here in China, accessed by “A” records. As it is, I
need to obtain a separate cert/key set for each subdomain…it would be
so much nicer to use the wildcard!
I’m actually coming at this from a legal perspective: to whom is the
certificate actually issued? My domain is mine. A free certificate
issued to my domain should either be the property of Let’s Encrypt (and
I’m the licensee for the duration) or my property for its duration to do
with as I choose. This is an intellectual property issue. I only see
ipower as a custodian, as I understand these things.
I see your point, _az, but all my other certs have come to me by email. That’s the point of end-to-end encryption, isn’t it? That it gets scrambled before it gets sent and unscrambled after it arrives?
Yes, but you didn't receive your private key by email.
You generated your private key locally (on your computer or on your cPanel server), and then you sent a signed CSR to the CA. The CA then emailed you with the certificate and CA bundle, which you use with your private key.
You are free to download your wildcard certificate from a certificate log aggregator (such as crt.sh or censys.io/certificates). It will be there. It's just useless without the private key.
There is no end-to-end encryption in email. Any admin of any system the email traverses could steal your private key on its way to your inbox.
To the subscriber - iPage. By hosting your domain with them, you made them a "duly authorized agent". You can try Ctrl-F for "subscriber" in these documents:
I have a novel interpretation of the Let's Encrypt subscriber agreement that says if iPage did email you the certificate private key, they would be breaking the subscriber agreement ...
But like I mentioned already, this seems like an odd hill to die on, considering you can just make your own certificate.
Great metaphor, _az! And thanks for the links! I will be perusing them forthwith.
You’re probably right…better to let the thread die than die on that hill… at the same time, I can envision being held hostage by an unscrupulous hosting service…that’s what it feels like…
That concern only makes sense if it is not trivial to simply generate a new cert--which it is. Since you can generate any (reasonable) number of certs for free, the fact that your host won't send you the key (the cert is easy to obtain through any number of methods) simply doesn't matter. If you have need of a cert for your domain, now or in the future, for whatever reason, just generate another one.