+1 to add the option to use a challenge in a port other than 80 and 443.
IMO this would be the ideal solution for servers that are not serving static content whatsoever: run the standalone server in a different port, not interfering with either http or https traffic.
A parametrized port for the challenge to be executed would be the best, but a fixed, usually unused port would also work for me (such as port 12 or 40 as per https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers).
@mehaase: Had a similar problem, this was my solution (I run an nginx proxy in front of my app server by default, don’t know how feasable for you):
try_files $uri =410;
error_page 410 =307 https://$host$uri;
listen 443 ssl;
//rest of config...
My /var/www dir is empty except while running the letsencrypt client in webroot mode, and all traffic is successfully redirected to https (you could add HSTS headers if appropriate).
This config does not works when you need to support legacy HTTP traffic (in that case, you still need to take down your app, execute LE client then bring it back up).