The usual providers don’t support this :(. I think it’s because it’s much less clear what the policies are for a delegated sub-domain. The obvious difference is that “normal” domains are registered in WHOIS database(s), including an expiry date. I wouldn’t just assume letsencrypt can do better.
“Subdomain-only SSL security/availability”
“Implenting an SSL certificate for DynDns”
The other “interesting” thing about sub-domains is the HTTP security model. DynDNS (no longer free) got their domains onto the Public Suffix List. The only other provider that did so was DuckDNS, because I asked them about it :).
If letsencrypt was able to run (or partner with) a DNS sub-domain service as well, that would be great. It’s another lot of work though. If you look at DuckDNS’s support (Google+), they’re constantly taking down malware domains.