I have a company that will be hosting a website for us. They state they use letscrypt. They state that lets crypt requires that the certficate be renewed every 3 months. Although it can do it for primary domain easily, they are stating that subdomain renewal will not work unless they manage the DNS NS. What would cause this?
if they use http validation, they don't need to change DNS entries.
So if you don't need a wildcard certificate, no DNS change is required, if every domain name has an A- or AAAA-record (ipv4- or ipv6-address).
If your understanding of their story is correct, it sounds like they use a wildcard certificate for any subdomain, which isn't necessary strictly speaking. Most websites include the
www subdomain in their certificate and don't use a wildcard for that purpose. You don't need one to include subdomains in your certificate!
Perhaps you and your hosting provider didn't understand each other and had some miscommunication about the subdomains or perhaps your hosting provider doesn't know how to issue subdomain certificates without a wildcard certificate? Which I doubt..