There is another way, I thought. Seem to recall certbot offering it when failing here. If you want more details I can dig into it but it has you create a file in a .well-known and it’ll go check for it there.
Edit: as others mentioned the prerequisite here is that you’re also listening on port 80 somewhere.
Also, don’t forgot let’s encrypt will time you out if you ping too often.
RIP Trevor