I run a scientific web site, call it site.org, that is mirrored at three locations, all listed in DNS as site.org so that clients will choose a specific mirror at random. The individual mirrors are server1.site.org, etc. The LetsEncrypt certificate covers site.org plus the mirror names. All of the mirrors are inside universities that are donating bandwidth; I don't have the funding to pay for the bandwidth myself.
One university, univ.edu, recently decided that for "security control of https communication" (their words) all sites inside their network should be behind their *.univ.edu wildcard certificate. Their implementation is that at the firewall, when they see a port 443 connection, they intercept the SSL handshake and substitute their own certificate. My server never sees the certificate handshake. The client browser sees the *.univ.edu certificate and rejects it because it doesn't cover site.org. I asked for my server's IP to be whitelisted for passthrough, and they said doing so was "not possible".
To me, substituting their certificate for mine looks like an adversary-in-the-middle attack. To be fair, I don't know if they're actually sitting there and monitoring traffic, but I don't see anything to prevent them from doing so. I don't give a hoot about the monitoring for my own purposes (everything on the site is public anyway) but it just seems like a Bad Idea to me even though it makes it much easier for them to manage certificates for sites inside univ.edu.
So: is it normal for large organizations to use an AITM approach to managing certificates? Is this really just because they want to snoop on all (incoming, but not outgoing) connections? Are there reasons I haven't though of for why this is a Bad Idea?
Fundamentally I'm looking for strong arguments I can use to talk them out of their position. If they won't bend, I fear I'll have to shut the mirror down, which would be sad for my users because that mirror has much better bandwidth to the continent it is located in. (Alternative suggestions would be appreciated, though!)