If you’re using default web/http validation… then the validation has to happen with port 80. This is Let’s Encrypt’s requirement, rather than Certify. If port 80 forwards to HTTPS/443 or any other port… it will be happy enough as long as the challenge is met.
When Certify makes the certificate request to Let’s Encrypt, the API tells Certify to create a file with a specific(random) name with specific(random) contents. This is the challenge. It proves that you control the webserver on port 80. If necessary, Certify can spin up its own webserver to meet this challenge on port 80.
As you’ve discovered, you met the hourly(?) rate limit on Let’s Encrypt. Wait a bit and try again.
If you find port 80 validation to be an issue, your other alternative is DNS validation… but this requires you can programmatically control your domain’s DNS entries. If you can’t manage that, you can redirect DNS entries to a service that can… but that’s another topic that I have not done myself.