Hi. I have this same issue, port 443 -> 8123, which must be quite common.
Is there some way we can achieve this renewal without having to change a router port forward, run the renewal, then reset the port forward?
I’d like to automate the process as much as possible… that’s why we’re all here, right? 
I think the issue is that we need certbot to support doing the renewal on a different port, not 443, since that’s forwarded for HA. So for auto-renew to work we need to be able to get it to use a different port and then set up another forwarding rule on the router just to be used for the renewals. It seems that when we could use http-01 this renewal was done on port 80. However since we now have to use tls-sni-01 this only works on 443, see: https://community.letsencrypt.org/t/how-to-specify-a-port-different-from-443-for-the-dvsni-challenge/12753
So long as there’s nothing else stopping you, you can use http-01 on port 80 without issue, see my detailed guide in the docs.
Thus, permanently:
80 - 80
443 - 8123
Auto renewals and no buggering about 
where, which one?