(edited) This is a little strange, because people are routinely able to use Let's Encrypt client software to automate renewals using port 443. It would be great to know why people think that it can't be done in this case.
In particular, certbot-auto renew should still be able to renew via port 443 just as it could with port 80. And if you can run it from a cron job, it should still be able to do so automatically!