I have UCS installed. I have updated to the latest errata. But when I try to run the cert as Administrtaor I get the following message:
Status
Current status of the App
"detail": "Method not allowed"
Any tips?
Further detail:
Your UCS must be reachable via port 80 from the internet.
The app sends a certificate request to Lets Encrypt and they request to generate a cryptic webpage (temporary) on your domain; if lets Encrypt sees that requested webpage, Lets Encrypt assume you have sovereignty over that domain and signs a certificate. This happens in the background.
So is your UCS reachable on port 80 from the internet?
Ok, that makes sense.
At this point the server is nestled behind our edge firewalls without any incoming connections. I will come up with an alternative plan. Probably find some way to leverage the Let’s Encrypt DNS challenge.
Appreciate the help.
You can create a logging port 80 rule on your firewall, verify the letsencrypt source by requesting a certificate. The request from letsencrypt will come few seconds later. Then you can allow only this source connecting your port 80. Should be safe. 
Oh! I’ll check that out too!
Thank you!
It will take some more scripting to make it do exactly what I want, but I have been able to get the Let’s Encrypt DNS challenge to work from within our network, to our Route53 hosted domain.
This means I don’t need to mess with the firewall config and the connections are known/secure.
It might be worth while to add the DNS challenge as an option to the Let’s Encrypt plugin, perhaps in an “advanced” area so as to not overwhelm a new user.
When I have tested the cert transit around our network and to the UCS I’ll put more details here and mark it solved.