Depending on your configuration you might be able to use --tls-sni-01-port 8123
However I wouldn’t really recommend that (even if it works): the TLS-SNI-01 challenge is deprecated so ideally you should switch to one of the other challenges. If your port 80 is open you can use the HTTP-01 challenge. You can probably do this by:
./letsencrypt-auto renew --cert-name mydomain.duckdns.org --force-renewal --preferred-challenges http-01
(Just run that once, then the normal letsencrypt-auto renew command should work in cron from then on). If you’ve forwarded port 80 to a different port, add --http-01-port 1234 or whatever the port number is.
If you don’t have port 80 open and forwarded, or for whatever other reason the above doesn’t work, you can try the DNS challenge. Remember to add a --deploy-hook if you want it to automatically reload your webserver after renewal.