Before I moved to DNS verification, I used NGINX to internally proxy LetsEncrypt port 443 requests to my verification server which did listen on port 80. This also allowed me to use one single verification server to verify multiple domains which were hosted on other servers. All those other servers were proxying the 443 LetsEncrypt requests to one final server listening on port 443, which then contacted the upstream verification server on port 80.
This was the file which I included in every server
location /.well-known/acme-challenge/ {
proxy_pass https://gateway-to-intranet.example.com/.well-known/acme-challenge/;
}
and on the gateway-to-intranet.example.com server I included
location /.well-known/acme-challenge/ {
proxy_pass http://192.68.20.25:80/.well-known/acme-challenge/;
}