People have asked about this a lot, but this feature would require a rule change from the CA/Browser Forum. It’s not simply a matter of patching Boulder and Certbot with a
--port-number option or something. Let’s Encrypt could fail our audit if we allowed the use of an unapproved DV verification method, as @pfg mentioned earlier in the thread in regard to the Baseline Requirements.
Authorized Port: One of the following ports: 80 (http), 443 (http), 115 (sftp), 25 (smtp), 22 (ssh). […]
Confirming the Applicant’s control over the requested FQDN by confirming one of the following […] on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port [… or …]
by confirming the presence of a Random Value within a Certificate on the Authorization Domain Name which is accessible by the CA via TLS over an Authorized Port.
Supporting this feature would require a consensus elsewhere, not just here. These policies exist because of debates about how to manage the risk of certificate misissuance due to different kinds of impersonation attacks. As I suggested above, this is a kind of technical consideration because people concluded that the ability to make some kinds of changes proves some kinds of control more convincingly, and the main point of a certificate is that the CA was convinced that it was issued to a proper recipient, not an improper one.
Under the existing Baseline Requirements, the addition of ACME challenges that use port 25, 115, or 22 could be considered with no policy change [edit: although seemingly if they use an unencrypted protocol, it has to be HTTP, while if they use an encrypted protocol, it has to be TLS, both of which create some challenges for practical applications of 25 or 22 right now], but we’d still then say that these need to be discussed in the ACME working group (and maybe they are already being discussed there) in order to make it clear exactly what the proof requested by the CA should be.
A slightly terser answer than @pfg’s accurate answer is “Yes”. The DNS-01 method exists in part for people who dislike the idea of allowing these inbound TCP connections.