Another option which can work over port 443 is the tls-alpn-01 challenge, which is supported by the Let’s Encrypt server since July 12, 2018.
Unfortunately, the list of ACME clients which support tls-alpn-01 is rather limited at the moment (in particular, certbot does not yet support it), and configuring the web server to respond to a tls-alpn-01 challenge may require server software changes or upgrades.