There is another way, I thought. Seem to recall certbot offering it when failing here. If you want more details I can dig into it but it has you create a file in a .well-known and it’ll go check for it there.
Edit: as others mentioned the prerequisite here is that you’re also listening on port 80 somewhere.
Also, don’t forgot let’s encrypt will time you out if you ping too often.
EGS is like walking around a grocery store offering free samples and leaving without buying anything.