ACME issuers never make the challenge verification request on non-standard ports. The HTTP challenge is always on port 80, and the TLS-ALPN challenge is always on port 443. It’s impossible to change that.
It is possible to change what “HTTP” means from the perspective of Caddy, i.e. bind to a different port when HTTP is needed, but the point of that is so that you can have your router/firewall do 80 → 9080 and then your server accept requests on 9080.
This doesn’t help you in the situation where your ISP blocks that port, it’s moreso for when your server has problems binding to low ports for permission reasons.
If you’re using Cloudflare, consider using Cloudflare tunnels, which sets up a secure tunnel between your machine and Cloudflare, and Cloudflare will proxy requests through the tunnel to reach your server, bypassing your ISP’s blocking rules.
I see, thank you! Reading further, it was a false hope, as the certbot docs state:
--http-01-port HTTP01_PORT Port used in the http-01 challenge. This only affects the port Certbot listens on. A conforming ACME server will still attempt to connect on port 80. (default: 80)
The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.
With that, I happily recompiled caddy and got the DNS challenge working instead. In case someone benefits from this:
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
xcaddy build --output ~/opt/ --with github.com/caddy-dns/cloudflare