The subdomain has an A record, the domain itself has an NS record and an SOA record. I have used this setup with Let’s Encrypt successfully many times in the past.
Running certbot --version shows certbot 0.19.0
I verified port 80 by setting up an nginx server (before running certbot) and browsing to the subdomain over http - I successfully recevied the nginx holding page. I then stopped nginx before running the certbot command.