There's a challenge type - TLS-SNI-01 - that works via HTTPS/port 443. However, this challenge type currently requires you to either use apache (for which a certbot plugin that automates the validation exists) or stop your existing web server for a few seconds so that certbot (with the standalone plugin) can listen on port 443. The good news is that a certbot plugin for nginx is being worked on and is going to use this challenge type, so you could probably switch to this if you want to with one of the upcoming releases (sorry, no ETA 
).
For some discussion on why the HTTP-01 challenge type does not work via HTTPS, and why it might not really be all that bad to listen on port 80 for a HTTPS-only site anyway, see this old thread: