Just to be clear, this is NOT a recent “change in policy”
jshaLet’s Encrypt engineer
We plan to frequently change the set of IPs from which we validate, and will validate from multiple IPs in the future. Any host answering challenges should have port 80 or 443 available to the Internet.
the 443 bit was removed in 2018
So either its 80 to the world for acme challenges or if you have control over your nameserver, the better solution of DNS-01 challenges which doesnt need any ports opened