You can use the directives --http-01-port and --tls-sni-01-port to specify other ports where certbot will be listening but as you said, Let’s Encrypt will always reach out over 80/443, so these port directives are only useful in cases where you are forwarding port 80 or 443 from the router to a machine in your lan listening in another port or something similar 
1 Like