You have three options.
-
Change your mind and open port 80
See this post for some reasons that might be a good idea. -
Switch to DNS-01 validation. Certbot has plugins for a number of popular DNS services that can automate this, but unfortunately it’s still difficult to install these plugins with certbot-auto (the PPA is easier, if you can switch to that). If your DNS provider does have an API, you can also set up automated renewals by writing a script (if you can program) - see https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks for details. Alternatively you could try a different client that has better DNS-01 support than Certbot, such as acme.sh.
-
Switch to the new TLS-ALPN-01 validation method. This works over port 443 like the TLS-SNI-01, but Certbot doesn’t support it yet so you’ll have to use a different client for now. Unfortunately most webservers don’t have flexible enough ALPN support to allow this to work while the webserver is running, so you would have to stop it temporarily during the authorization.