Just to be really clear about this conceptually (although I think you've probably got it!), there is a difference here between
- how do you get the certificate (including in the future for eventual renewals)? (you have to prove control of the domain name using port 80, port 443, or DNS TXT records—by Let's Encrypt policy)
- how do you use the resulting certificate with a service on a port other than 443? (a matter of configuration for the application that provides that particular service, and in this case maybe also a container that it runs inside of)