Yes, and you should/can leave port 80 open.
There is no known increased risk in adding port 80 access to a system with port 443 already open.
You could reduce your systems' exposure via port 80 by answering all such connections within one single HTTP vhost config. In there you could redirect all connections to HTTPS and only exclude redirection for /.well-known/acme-challenge/ requests.
You could even go one step further (if you are very security conscious) and ensure those challenge requests are not served from your active document root path.
And if you are extremely paranoid about such security, you could run two independent servers (one for port 80 and one for port 443) - in the same server, or in separate servers, (they could even be two different web servers - like: Apache & NGINX) and have one proxy to the other or to a shared location common/accessible to both.