I cannot install the REST on the ASA while in production.
This is your local policy, I guess? Many production ASA’s have the REST API enabled. It’s production code from Cisco. No reason to be afraid of it IMO. Well, not more afraid of it than any other Cisco code : )
Is there any other way to submit manually a CSR and get a cert back (any portal of Lets Encrypt)?
You’re not going to be able to satisfy the HTTP-01 challenge with an ASA.
You could manually do what the certbot-asa plugin does for you. This would require configuring a self-signed TLS certificate (trustpoint) on the ASA and enabling it with the
ssl trust-point command prior to LE validating challenge completion. I’m not sure there’s a certbot plugin which facilitates doing this manually, however.
The easiest manual approach is likely the DNS-01 challenge with certbot’s
manual plugin. You’d need administrative access to your Internet-facing DNS. After satisfying the challenge, you’ll find the certificate, chain cert(s) and key material in the certbot config tree. A message at completion time tells you where it is.
The other option: Briefly change your DNS record so that it points at an Internet-facing box where you run certbot. Let certbot collect the certificate with the
--certonly option. Then point the DNS record back at the ASA. Manually install the resulting certificate / chain cert / keypair on the ASA. The problem with this approach is that you interrupt DNS for the ASA briefly, which would not be acceptable in most environments.