What can happen is that if your Let's Encrypt account successfully completed a validation for a domain within the past 30 days, that success is cached during further attempts. So you can get just the appearance of success.
But as long as your Certbot is 0.28 or higher, the dry-run does not actively complain about TLS-SNI being used and you have port 80 open, you should be all set.
Yes, it's true: How to stop using TLS-SNI-01 with Certbot
Just tcp/80 is needed.