Minimmum dns config to allow install Letsencrypt certificate

My YunoHost server

Hardware: VPS with 4GB ram on my old PC
YunoHost version: 4.2.4 (stable), 4.2.5.2 (stable)
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Context

I have domain that pointing to public website. I have access to registar to set any dns records needed.
Then I have subdomain, that I want to use for yunohost installation in LAN. LAN is behind firewall (I have full access to it). YH and apps should not be accessible from the internet.
Currently most apps are working through browser. Some apps impossible to use: e.g. git clients refused to fetch projects from gitea because of self-signed certificate (“fatal: unable to access … SSL certificate problem: self signed certificate in certificate chain”).
Email use for that subdomain is not needed.

Description of my issue

yunohost installation doesn’t allow to install Letsencrypt certificate. Green button is disabled.

What is the minimum that I need to change, to be able to install LE cert?

From diagnosis page:

# DNS records 1 issues2 warnings
DNS records are correctly configured for domain sub.domain.com (category basic)
Some DNS records are missing or incorrect for domain sub.domain.com(category mail)
Some DNS records are missing or incorrect for domain sub.domain.com (category xmpp)
Some DNS records are missing or incorrect for domain sub.domain.com (category extra)

# Ports exposure 6 issues
Ports 80/443 are portforwarded to another local server (as they should).
Other ports are blocked from outside.

The minimum is that you should have a A record pointing your domain to your IP (sounds like that part is ok) and port 80 of your server should be publicly exposed (that’s the blocking part)

What I could do, if I want that other service is exposed to the internet on ports 80/443 most of the time?
I don’t have any proxy, just a firewall with simple NAT.

What do you mean by “that other service” ? What service ?

I mean that I have the other server, to which 80/443 are routed currently.

Hmyeah so this is the classic question “how do I host more than 1 server behind a single IP”

There’s no simple answer, the most classical thing is that you need to configure some reverse proxy from the main server (= your ‘other’ server to which port 80/443 are routed) to your new server. There’s no automatic trick for this (except maybe if your server is a yunohost server, maybe the redirect app could do the trick, or part of it). It depends on what kind of web server is running (nginx, apache, …) and you need to configure stuff by hand.

Or, in your case, you can imagine temporarily redirecting it to the other server just to get a certificate, and you’d have to re-do this everytime you need to renew the certificate.