For HTTP-01 validation, that's correct.
You may use:
- TLS-ALPN: Works over port 443, but requires a special kind of webserver (or nginx with the SSL stream preread module compiled), Certbot can't do it for you.
- DNS-01: Requires the ability for your ACME client to set a TXT record on the domain(s) it's issuing certificates for.