From Best Practice - Keep Port 80 Open - Let's Encrypt :
You can use DNS-01 challenges or you can use one of the clients that supports TLS-ALPN-01 challenges (on port 443)
As I mentioned in another recent thread: Certbot's documentation for the DNS-01 challenge is here, but it's only useful if you happen to use a supported DNS service.