Hi @Anthon,
Let's Encrypt's verification methods require that the name that you request a certificate for actually exist in DNS (or if using the DNS validation method, a specific kind of text record must refer to it) and be publicly visible at the time of verification.
I am a bit confused by what you said above, but to try to summarize what is and isn't possible:
-
If the name that you want a certificate for already exists in DNS and has an A (or CNAME) record, but the public IP address corresponds to a proxy, you can complete an HTTP-01 challenge in various ways, as long as the proxy is able to send the challenge verification request to the actual server that possesses the private key, or as long as you manually post the requested file in the right place on the proxy server's HTTP listener.
-
If the name that you want a certificate for does not exist in the DNS as an A or CNAME record, but you have the ability to update your DNS zone, you can use the DNS challenge and temporarily create a verification record in response to the challenge. (The verification record is a text record for a related name, proving that you can update the DNS zone; it's not an A record for the name itself.) In Certbot this currently only works in manual mode, but the bash script clients have especially mature support for it.
- If you don't want the name to be publicly disclosed at all (e.g. in Certificate Transparency!) or to be mentioned at least ephemerally in DNS, you cannot get a certificate from Let's Encrypt.