Certbot requires an Auth Provider to validate the owner of a domain when allocating certificates.
Generally there are two types of auth providers.
1) the standard http auth mechanism
2) dns based authentication.
The http auth mechanism is built into nginx-le and is suitable for all public facing websites.
The dns based authentication mechanism is required for private web servers (no public ip address).
For dns authentication you need to be able to create a special dns record for your domain during the certificate acquisition and renewal phases. This means that you need to use your DNS providers API to create the required DNS entry.