How do i submit my certificate signing request to Let's Encrypt?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
eils-dev2.login.us6.oraclecloud.com

I ran this command: see documentation here

It produced this output:
opentext_DEV2_AS2_cert.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDAzCCAesCAQAwgY0xEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgTB1Vua25v
d24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vua25vd24xEDAOBgNVBAsT
B1Vua25vd24xMTAvBgNVBAMTKFN0cmF0ZWdpYyBQaGFybWFjZXV0aWNhbCBTb2x1
dGlvbnMsIEluYy4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCILzKi
UQKucXuwsnE5NA10MhRTpNUL8C6KzCh4hUubZh9upWTWtvGHZ/CQ5Er2/EMbx7IV
nS0YThI7p/sGQ8mljRfHD/gZdqLVBVcgkLZi380uPmgQQwdObkXMlDoM/Lru0wTn
eN+QbJDk4tYjMCAu1eKpeYPeK/ecsSzyU6XOzyZ9Ccb2WH/7ppreZZds6Ey++MwW
uJQoADjtqqq85Qio0UBstVxpeg1LK2P0ogALi2rNbDZe43LHfI5eGylM4Qe8stg8
o55hcSpKW3NVmKoVMxmK5bmeb/s3Hzyucut0N80vlJSLYVbgv0LXQ5jDT4y4LhWL
ew8ry+ne1VHrT2aVAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBSB
bG/vzXm2NtwQ7P7Ii2UlAxwO1jANBgkqhkiG9w0BAQsFAAOCAQEAR+oN9CWIl7o8
5bQT2Oorfj+hGV2BRLBzMAFHR1qwX7K1HqvSZCEIwJx+tFH6uXcoqi3bS1NJeSPn
xOICEZ2g1I1iGIhVQzkCrisFdHOTFufl5HIuqv5Bby/CFtT0TaYjjF/msMsGvSyS
mhM+zdgYlYFEvC9BGtMM38XNY4gXbB8CZXcwkxwhGRiKfue1Wgn0WBXMguFEKn5p
+aUjd3JVnXGblELGNRBssX1e/BWW8OZ7RkezWEwIzbpAjCxrV3x2R7pNR87bmYjN
SnEk5TLzexCYSpmEOymV+vqxIAdqVvqjCdDka/ed4miu9H8ZZJZzPdWbahHn3uTk
X3w+i1lvBg==
-----END NEW CERTIFICATE REQUEST-----

My web server is (include version): Unknown, this is Oracle SaaS environment

The operating system my web server runs on is (include version): unknown

My hosting provider, if applicable, is: Oracle. I need Certificate files, to then upload into Oracle Cloud Fusion via a GUI interface.

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I have no client

Then you have to choose one. See for a list of possible clients:

Not every client handles separate CSRs that well (for example, the recommended client certbot can use a separate CSR, but isn't really build for it). I believe acme.sh can handle CSRs pretty well, but I don't have experience with it.

Let's Encrypt solely uses the ACME protocol to issue certificates (and uses CSRs in the communication between the ACME server and client), therefore you're required to use an ACME client.

Also note that Let's Encrypt certificates are only valid for 90 days and Let's Encrypt recommends to renew the certificate after 60 days. Therefore, Let's Encrypt is all about automation: set up your ACME client and services using the certificate and you shouldn't have to think about the renewing et cetera. However, using a separate CSR and requiring to manually import the certificate makes this rather difficult next to impossible. Things to think about.

Client....where would i install this client? This is a Cloud SaaS environment, we have zero access to any of the servers.

Just saw your edit to your post. I don't think Lets Encrypt is going to work for us...

Usually, one would install the ACME client on the same host as to where the hostname points to. I.e., in your case, the host with the IP address 129.152.32.94. This is useful when using the http-01 or tls-alpn-01 challenges. However, this is not required. It's perfectly possible to request the certificate from a different host and manage the challenge another way in the case of the http-01 or dns-01 challenges.

Note that Let's Encrypt requires proof of ownership for the hostname. See the link to the challenge types in the paragraph above.

We have no access to any server; the Cert would be uploaded to our ERP system through a GUI

Also, Oracle 'owns' the hostname, not the company I work for....

If you can't fulfill any of the three possible challenges, you can't get a Let's Encrypt certificate.

thanks for clearing things up; you've been very helpful

The CSR shown has this Subject:
Subject: C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = "Strategic Pharmaceutical Solutions, Inc."
[which lacks a certifiable FQDN]

And no:
X509v3 Subject Alternative Name:

So, there will be a problem with that CSR no matter which CA you take it to.

Ghe, I didn't even check the CSR, but that's indeed horrible.

I think, in context, this Oracle guide is typically not expecting people to use a publicly-trusted CA like Let's Encrypt.

Forward the certificate file to your CA. Follow the process established by your organization.

In this case, I think typically "your CA" would be an internal organizational CA, rather than a publicly-trusted one.

At least the B2B use case described here doesn't really require the certificates to be publicly-trusted: they're expected to be consumed by a very small number of identified business partners, rather than by the general public.

And by using your own CA, you would overcome the need to renew the cert every 90 days.
[without automation you will eventually come to loathe the entire manual recertification process]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.