Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Beware of Cheap SSL Resellers


Beware of Cheap SSL Resellers




Posted by AcheronMedia-VK, 11-10-2014, 12:11 PM
I tried to phrase the title as fair as possible, given that the real problem here might not have existed if I purchased from RapidSSL directly. Of course if it were my decision, I would have gone to DigiCert and their $200 entry level SSL cert, because the (comparatively insanely) high price is actually reflected in the quality of the certs and customer support (that's my direct experience with them), but the clients wanted the $9 resold RapidSSL certs and that's what we got for them. The quality of certs, indeed, even if you think WTF I am talking about, they're all pretty much strong 2048-bit, SHA256 today, yes even the cheap-o ones, but this is the fallout of the recent "let's switch to SHA256" ruckus that methinks is going to turn into a debacle for some, as the intermediaries and roots are still at SHA1 for some. The quality difference is in the entire process from ordering to deployment. So what happened? Well, let me break down the issue that started last Saturday: Our SSL audit tools started complaining about SHA1 intermediaries (they have been for a while, but I now decided to do something about it)I went out to find if RapidSSL had SHA256 CA bundles, they apparently haveThe bundles broke our certs, and a bit of research showed that the original certs would probably have to be re-issued because the CA bundles were issued after the certsThe only way to re-issue a RapidSSL - through Geotrust's control panel, did not allow us to re-issueI opened a support request with RapidSSL to ask about the broken CA bundles and re-issuing, got told off to talk to the resellerThe reseller gave us a canned response not too relevant to the problem at hand (SHA256 CA bundle breakage and inability to re-issue), the person probably didn't even read my ticket but skimmed through a few keywordsRapidSSL blocked any follow ups by email from us with a Policy at their MTA (I kid not, I've got bounce mails to prove, and no, our MTA IPs are as clean as a whistle)RapidSSL chat support today cut us off the moment they realized we are using re-sold certs, even thought the only known way to get the CA bundles and re-issue is through RapidSSL/Geotrust panels directly.I am still waiting for the reseller to reply and I guess it'll take a few days and a ping pong with ticketsI got my panties in a knot and posted here on WHT. So what is rip-off? Is it when the system is designed to have your products resold, allowing the resellers to play dumb and the customer is left to play a blame game between them? Is it rip-off when you sell something, directly or indirectly -- you are endorsing your resellers, otherwise don't allow them to resell your goods and install a quality assurance programme -- but the customer is left with no one to complain to? Is it a rip-off when you ask the customers of your resellers to use your control panel directly but then block them, disconnect them, when they complain to you they can't use the tool? Oh, I am sure that eventually I'll get this sorted out one way or another. The reseller is a well known domain registrar who just recently got into the SSL reselling game and I'm sure they will want to protect their reputation. I won't name the reseller because I don't think it's important and I'm certainly not trying to play the "WHT card" (and I don't think they have a rep here anyway) and the guessing game can start now. It's RapidSSL's fault (Geotrust's actually) because they designed and are endorsing such a system which is maximizing the sales while minimizing support cost. I'm not naïve, I know how things work. That doesn't mean the system is not designed to be a rip-off, deliberately or through malpractice. Because if you want to maximize your profits and minimize the support cost, then build a damn system that works without human intervention. It's not that hard. The expensive cert provider I named above certainly does have that. Click - your cert is here. Click - the CA bundle is here. Click - the documentation how to install. Click, re-issue. Ain't hard. You just click. This is the last time I am catering to cheap clients wanting cheap certs. It's been a lesson well learned.
Posted by Atlanical-Mike, 11-10-2014, 12:13 PM
It depends which reseller you use. Namecheap are known for their good SSLs and they are a reseller as they aren't the CA themselves. Who did you use?
Posted by (Stephen), 11-10-2014, 12:25 PM
Mike, he used digicert just like the OP says... now, I don't blame geotrust for blocking you, you did not buy from them, you must get support from digiCert. This is the same with pretty much every reseller program. It is a violation of trust for the master company to do support requests for reseller clients unless there is some circumstances like out of business, death of single person biz, or I guess fallen behind in payments and clients will be left stranded, otherwise it is a hands off affair for reseller clients.
Posted by AcheronMedia-VK, 11-10-2014, 12:33 PM
I just posted a thread calling a beware of cheap resellers and you're suggesting me another cheap reseller? I know about Namecheap, even though the reseller here in question is not them, we also have some purchased through their ssls.com, and I have yet to deal with that... waiting first to see how this will be resolved.
Posted by AcheronMedia-VK, 11-10-2014, 12:35 PM
No, sorry for the confusion, DigiCert is not the reseller in question, I just mentioned them as a provider I should've gone to in the first place, instead of cheap resellers.
Posted by Atlanical-Mike, 11-10-2014, 12:38 PM
He said he had a RapidSSL and also said: I would have gone to DigiCert and their $200 entry level SSL cert He didn't use Digicert... He said he would have gone to... Namecheap seem to have a lot of good reviews and people recommending them. Just because you had one bad experience with one doesn't mean the others are the same. As that could be said about webhosts too.
Posted by (Stephen), 11-10-2014, 12:44 PM
oh yes, That's what I get for speed reading too. Still the point about reseller and going direct to geotrust is valid, if they didn't buy from geotrust then geotrust isn't at a point to give support, and may not even have validation info for the client.
Posted by AcheronMedia-VK, 11-10-2014, 01:08 PM
I understand that, but in case of RapidSSL resellers, as far as I've seen and I haven't seen otherwise, nor has any of them, resellers or RapidSSL directly, instructed me otherwise - the only way to manage a RapidSSL cert is to go to the Geotrust control panel and start the process yourself, directly, via https://products.geotrust.com/orders...hentication.do You also get emails from Geotrust, once you complete the reseller's payment process, so no, there is no clear cut trust to violate, since Geotrust is there, in your face, from day one. And that tool was broken for us that's why I opened a ticket with RapidSSL. I might even not complain if they didn't set that MTA policy. Yeah, tinfoil hat and all, I'm kinda sure the policy was set deliberately to prevent me from pestering them directly. Well, as experience has shown, all the cheap-o webhosts do seem to be all bad experience. It's the usual "you get what you pay for" reply here on WHT and I'm fully aware it applies in my case too. Not a reason to not complain, right? Edit: BTW, regarding the trust violation comment, I just checked, the Geotrust management process clearly states: "If you have any questions, please contact GeoTrust Support." when you submit the CSR... Last edited by AcheronMedia-VK; 11-10-2014 at 01:12 PM. Reason: added the GeoTrust support tidbit at the end
Posted by Website themes, 11-12-2014, 01:29 AM
HaronMedia If your time is so valuable that you can waste $200 on a cert when a $9 one will do then just buy another $9 one. Yes, you can do that. Just open an account at another reseller and buy a basic domain validation cert for your domain name. It can even be another rapidssl (select "renew" if asked). Or buy a positive ssl from the same reseller you currently have an account with. You don't have to wait for customer support to reply.
Posted by AcheronMedia-VK, 11-12-2014, 07:50 AM
That is pretty much beside the point, isn't it. I've dealt with this and will solve it. This post is about cheap REsellers being the problem to watch out for. Especially RapidSSL resellers it seems. Also, and this is very important, if you buy a new cert for the same domain, you really have to revoke the old one, so the problem of dealing with it remains in the same domain re-issue is, even if I wanted to waste $9 of my own to "re-issue" client's certs, which I don't.
Posted by Website themes, 11-12-2014, 07:57 AM
The point I was trying to make is that the price gulf is so wide between digicert and cheap ones that you could buy lots and lots of new cheap ones and still save money. And as far as customer service goes how often do you need to reissue a cert? This sha1 thing is a once in a decade event. That's not true. You don't have to do anything. There are lots and lots of CAs. Each one can issue you a cert for your domain name. In fact you can get multiple certs issued for the same domain from the same CA. Last edited by Website themes; 11-12-2014 at 08:00 AM.
Posted by AcheronMedia-VK, 11-12-2014, 08:17 AM
If you read my original post, it isn't my money to save. If it were, then yeah, I could buy somewhere else and have this one revoked whenever with very little time lost on it. It's also not a question of one cert... So I refuse paying for clients' desires out of my own pocket to have a resold RapidSSL (because upstream RapidSSL is $49) because they are too cheap for quality stuff. The problem is of not having support when you need one. This (SHA1->SHA256) might be a "benign" incident, but it's good to know that when a security incident happens and you have to solve problems asap, there won't be any adequate support to help you. Well true, you don't have to. You also don't have to purchase anything and you can use self-signed certs. Or better yet, pffft, screw this, who needs SSL, right? It's all backdoored by NSA anyway.
Posted by xgenHosting, 11-12-2014, 08:29 AM
HaronMedia I think you need some iced tea to calm your nerves We got your message we stand beware-ed(yea i know thats not a real word ) and will never buy SSL from a reseller. We promise, thanks for brining this out in the open. We will always ask the client to buy their own SSL and be done with it, wonder why you didn't do that in your case
Posted by AcheronMedia-VK, 11-12-2014, 08:38 AM
Awesome! Job well done then. Well that's a mystery isn't it.
Posted by AcheronMedia-VK, 11-17-2014, 08:34 AM
I am going to name the reseller because there's one thing people should really know before purchasing a RapidSSL from them, and it is not written anywhere but in their dashboard once you create an account which happens during/after the purchase. It is also not part of the ToS. I asked them why, they said it was a "limitation mandated by GeoTrust". Must be something "mandated" to them only because I can reissue RapidSSl elsewhere just fine. It is name.com and they do not allow you to reissue RapidSSL certs. @Licensecart-Mike , yes, we got up and running with NameCheap's SSLs.com within five minutes, they answered our questions in the chat and we were able to reissue the RapidSSL certs for full SHA256 chain. Goodbye name.com.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Webfusion Reseller Review (Views: 675)
VPS consistently offline... attacked? Don't know (Views: 730)
Support for users (Views: 710)
Altushost.com down.?? (Views: 818)
rDNS Management (Views: 722)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.