@igoratencompass, consider the following example:
There is a NAT box (router) which has 192.0.2.42 and 2001:db8:1ef9:8325:fad2:98b2:521c:8e45 addresses assigned. For users convenience, there is a DNS record which points to these addresses - let’s assume it is users.example.com. Each user has its own port range at their disposal (say, 50 port numbers), which is redirected to their individual virtual machines (isolated from each other). They are free to use them in any way they like (as you said, you enjoy the freedom of choice). Let’s assume that CAs are allowed to perform validation using port number arbitrarily chosen by user, as you suggest.
How would you prevent user from obtaining certificate for users.example.com?
How would you validate - in an automated way - that service listening at given port number is allowed to obtain certificate for domain pointing to these addresses?
Do you believe it should be responsibility of network administrator or responsibility of certification authority?