The http-01 challenge must be sent on port 80 (though it will follow redirects to 443). Unless you can do this, it is not an option for you.
The remaining option is the dns-01 challenge (
--preferred-challenges dns-01). For automatic renewal using this challenge, Certbot supports a number of DNS providers and you also have the option of providing script hooks to automatically perform the DNS validation updates.