Dangerous how? I assume your port 80 runs the same webserver as your HTTPS on port 443, so I assume your not afraid for hackers directly hacking your webserver.
Also, how do people reach your HTTPS server on port 443? Do they rely on a redirect from port 80 or do people need to manually type https:// in their address bar?
Or do you use HSTS pre-loading? Do all browsers use HSTS pre-loading?
If keeping port 80 open would be actually dangerous, why would almost every site have it open?
Some ACME clients support a challenge type called TLS-ALPN-01 that operates over port 443. One option above and beyond the others suggested in the thread so far would be to switch to a client that has support for this challenge type.
So you refuse to use the obvious solution, and your DNS provider precludes a good alternative. Leaving those two aside, we're left with TLS-ALPN which isn't very widely supported, switching DNS providers (Cloudflare is free and has a widely-supported API), or running your own validation DNS host using acme-dns. Or realize that serving static text files over port 80 isn't dangerous in the least.
My concern with port 80 is that it needs to be open inbound, so our sites are then available on http (we also use a bit of software that has port 80 and port 443 open, but no redirect is available from port 80 to 443).
This does not follow. The only thing that has to be accessible on port 80 is the /.well-known/acme-challenge/ path, and that will still follow redirects to port 443. Let's Encrypt doesn't care what else is (or isn't) accessible on port 80.
Well, that’s not a LetsEncrypt issue, it’s a webserver configuration issue. I don’t know nginx, but in Apache we’d just use deny all for the root path, and accept on the /.well-known/acme-challenge/ path.
Certify The Web by default has an http challenge listener built in for temporarily answering port 80 http challenges, so you can remove the port 80 binding on your IIS site and leave port 80 open for http challenges only. You mention you have a bit of software that uses port 80 and port 443, if that’s not using https.sys (and claims the port exclusively) then there are bunch of other issues there.
Regarding manual dns challenges, they are absolutely the worst option because they are high maintenance and error prone. Use an automated provider - Certify supports acme-dns which you can use with any DNS host (just select the option and run a request to see who it works) and you can optionally use the default acme-dns server if you don’t want to run an acme-dns server. Alternatively switch your dns host to one that certify can automate such as cloudflare, aws route53 etc, some of which have free options.
Regarding alternative challenges like TLS-ALPN-01, currently there is no way to do that on Windows.
The best place to ask certify questions is on https://community.certifytheweb.com or contact support - this forum doesn’t automatically notify me if you mention certify in a question.