Some of what's showing on crt.sh may be Cloudflare automatically ordering certs (they have a split between Let's Encrypt and Google Trust Services for that).
Generally if you need a cert for a domain that doesn't serve a public website then you'll be using DNS validation, so that involves using an ACME client to update an _acme-challenge TXT record for each domain/subdomain - there are lots of possible tools, but if you are specifically using Windows then it will most likely be Certify The Web, win-acme or Posh-ACME.
I don't know Azure Stack Hub at all, so can't help with that. Maybe you have some sort of internally developed API integration with that.
if i put the _acme-challenge.adminmanagement.global.txt will it work in the otsmartrecording.net dns record, and pass the dns 01 challenge even if it doesnt exist?
and how can i order a cert from lets encrypt via cloudfare?
I'm still a bit fuzzy on what you're looking to do exactly but I think:
You have existing CSRs for a bunch of domains that are somehow serviced via Azure Stack Hub and you are trying to generate corresponding certificates.
You are using Cloudflare for your DNS
You want to specifically get certificates via Let's Encrypt
I'm assuming you normally work on Windows OS, not linux.
You could probably use something like Certify The Web to order a cert for a CSR (New Certificate > then under Advanced, Signing and Security choose your custom CSR), then under Authorization configure DNS validation using Cloudflare and a cloudflare API key. However, this can be cumbersome if you are setting up a lot of domains (there are advanced options for scripting config though). It could be worth it as an experiment to see if it works for what you need.
As an alternative, how about Posh-ACME (powershell): https://poshac.me/ they have an option to load a CSR as part of the order: docs/v4/Functions/New-PAOrder/ - they also have a Cloudflare DNS provider plugin. If you can get it working for one then you can probably get it working for all of them. Keep in mind that if you have many subdomains there is a Let's Encrypt rate limit of 50 certs per week per domain and that includes requests for subdomain certs on the same domain.
Could you use a single wildcard certificate for *.global.otsmartrecording.net instead of managing lots of individual certs?
The general process for ordering a cert from Let's Encrypt is to use an ACME client (there are hundreds of possible ones) to:
create an ACME certificate order using your custom CSR
use http validation or dns validation to prove you still control the domain, as these aren't public websites then you'll be using DNS validation. DNS validation adds/updates an _acme-challenge TXT record with a new value for each cert renewal which Let's Encrypt then checks to prove you still control that domain. This process is dependent on using an ACME client that can talk to your DNS provider (cloudflare).
once domain validation is complete the ACME client can complete the order and download the cert, the file format for which will vary.
You then need to deploy your cert however you need it (does Azure Stack Hub expect a certificate upload or can you script it?)
A website doesn't have DNS records. A domain name has DNS records. If you have a domain name registered, you should have access to the DNS zone (records) for that domain name. To acquire a certificate, you'll need to fulfill a DNS-01 challenge for each domain name and subdomain name that you want your certificate to cover, which involves adding a special DNS text (TXT) record for each such domain name and subdomain name to the DNS zone(s) for those domain and subdomain names. These special records are provided by whichever ACME client software you use. Some of these softwares can add the records to your DNS zone(s) for you if you provide access for them to do so.
With no website (or, rather, webserver) for completing HTTP-01 challenges and no DNS access for completing DNS-01 challenges, I don't know how you're going to prove control over the (sub)domain name(s).
Whomever told you that did not quite understand what they were saying. As others have indicated, you just need access to the web server for PUBLIC web sites, but for internal-only web servers you need to either (a) make some kind of web server publicly available to answer a HTTP-01 challenge or (b) put the appropriate records in your external DNS for DNS-01 challenges.
I have been peripherally involved with people that get LE certificates for internal web servers. There are no A or AAAA records on their external DNS for these servers, but they do have _acme-challenge CNAMEs that point to a subdomain just for ACME validation. The internal web servers have the ability to add and remove the correct TXT records in that subdomain. There's really no other way to do it.
Is it possible/likely that all the previous certs you may have acquired were from an internal certificate authority (not Let's Encrypt)? Example internal CA services include Active Directory Certificate Services, smallstep etc.
If this isn't really making sense I'd advise outsourcing the work to someone who specializes in azure stack hub configuration. I don't think anyone here really uses it.