You used to be able to complete challenges via port 443 (with plain HTTPS protocol), it’s just that there was quite a severe security vulnerable discovered, allowing people to create certificates for domains they don’t own, which made that practice untenable.
You can still use port 443 to complete challenges, but it requires implementing the TLS-ALPN challenge, which simply isn’t supported by the majority of e.g. Apache and nginx deployments.
Caddy is one such server that supports it.
If you have a very new version of Apache, you can also use the
mod_md module which also supports TLS-ALPN.
You can also stop your server, use a Let’s Encrypt client like acme.sh that will create a TLS-ALPN server on port 443, issue your certificate, and start it again all automatically:
acme.sh --issue --alpn -d example.com \
--pre-hook "service apache2 stop" \
--post-hook "service apache2 start"
Everybody wishes that port 443 completion of challenges was simpler but there wasn’t a way identified to do it sufficiently securely.