There are three challenge types used by Let's Encrypt (see Challenge Types - Let's Encrypt for more info) and two of them require an open incoming port to the host (port 80 or port 443). If that isn't possible, the only option you have is to use the dns-01 challenge.
See DNS providers who easily integrate with Let's Encrypt DNS validation for a thread trying to summarise DNS hosting providers which can be used easily with Let's Encrypt.
There are also free domain names available (e.g. from Freenom), but as a free service, those DNS servers might sometime perform less well.