Have a look at https://letsencrypt.org/docs/allow-port-80/
From what I can tell, your ISP does not block port 80, so you should be able to port forward it to your webserver.
You may have been renewing via port 443 previously, but that’s generally no longer possible with Certbot: IMPORTANT: What you need to know about TLS-SNI validation issues . So you’ll need to setup nginx to listen on port 80, even if it all it does is redirect to port 443.