The TLS-SNI (port 443) challenge had to be withdrawn due to a serious security issue, but it did more or less what you are suggesting.
However, work is in progress to replace it, so hopefully it will be back at some point.
For now, you have the option of the DNS challenge, which works fine for people who can't/don't run any services on port 80 or services that aren't accessible from the internet.
This is usually addressed by the secure flag, preventing insecure transmission of cookies. There's a further problem that browsers will not reliably attempt to connect to port 443 by default, so bootstrapping via port 80 is required in most cases anyway 
.