I run a scientific web site, call it site.org, that is mirrored at three locations, all listed in DNS as site.org so that clients will choose a specific mirror at random. The individual mirrors are server1.site.org, etc. The LetsEncrypt certificate covers site.org plus the mirror names. All of the mirrors are inside universities that are donating bandwidth; I don't have the funding to pay for the bandwidth myself.
One university, univ.edu, recently decided that for "security control of https communication" (their words) all sites inside their network should be behind their *.univ.edu wildcard certificate. Their implementation is that at the firewall, when they see a port 443 connection, they intercept the SSL handshake and substitute their own certificate. My server never sees the certificate handshake. The client browser sees the *.univ.edu certificate and rejects it because it doesn't cover site.org. I asked for my server's IP to be whitelisted for passthrough, and they said doing so was "not possible".
To me, substituting their certificate for mine looks like an adversary-in-the-middle attack. To be fair, I don't know if they're actually sitting there and monitoring traffic, but I don't see anything to prevent them from doing so. I don't give a hoot about the monitoring for my own purposes (everything on the site is public anyway) but it just seems like a Bad Idea to me even though it makes it much easier for them to manage certificates for sites inside univ.edu.
So: is it normal for large organizations to use an AITM approach to managing certificates? Is this really just because they want to snoop on all (incoming, but not outgoing) connections? Are there reasons I haven't though of for why this is a Bad Idea?
Fundamentally I'm looking for strong arguments I can use to talk them out of their position. If they won't bend, I fear I'll have to shut the mirror down, which would be sad for my users because that mirror has much better bandwidth to the continent it is located in. (Alternative suggestions would be appreciated, though!)
It is perfectly normal that an organization (university, company, ...) wants control over the traffic inside their network. This includes inspection and filtering the traffic for security and compliance, maybe with some exceptions for privacy. After all it is their network and they are responsible for it.
It is also common that mirror sites hosted by third parties are not all subdomains of a common domain name, but instead have domains reflecting the organization where they belong to. I don't know what makes it impossible for you to follow this approach.
I'm not sure if this means that all these sites use the same certificate, including the same private key. In this case the private key is distributed not only over multiple servers but these servers (or at least the infrastructure hosting the servers) are also managed by different organisations. This increases the risk of compromising the private key. Better use separate certificates.