There are just a few ports allowed for challenges in the CA/Browser Forum Baseline Requirements, the "rule book" every public CA needs to adhere to. Reason for this is probably so that only admins can actually request and get certificates and not non-root users on a shared server.
Not sure about that. I believe higher ports are available to non-root users and sometimes/often (dunno about that nowadays) "plain" users (i.e.: non-root) can get SSH access on a server. My ISP, before they were taken over by another larger ISP, offered SSH access on servers of the ISP.
There are a lot of variations to this vulnerability, but the simplest one to understand is this: Many domains names point to shared hosting servers, on which multiple unrelated customers host their services. Since any user can bind to a port over 1024, allowing arbitrary ports would enable one customer to obtain certificates to another.
Even within the 1024 "well known" or "reserved" ports, there are currently differences between operating systems as to whether or not a port requires root privileges. Port 80 is currently required, largely in part, to most operating systems requiring root privileges to bind to it.
@Osiris: having parsed this now , unfortunately it turns out that noip doesn't allow CNAMEs to be created which begin with an underscore; possibly they need to make money out of providing certificates themselves? Neither can one create NS records, which might allow me to run my own acme-dns instance.
It seems that it is basically not possible to automate certificate renewal with LetsEncrypt via the DNS mechanism if no-ip is your DNS provider. I will have to just do the next certificate update manually via a TXT record (which can begin with an underscore) and then move the domain to somewhere more flexible.
, unfortunately it turns out that