I am not sure anymore if I understood the problem correctly.
The most convinient way to prevent the usage of Port 80 is to force the redirection in Apache. In UCS this can be done using the
apache2/force_https UCRV. While this does not close Port 80 it allows users to type the hostname or URL in the browser without prepending "https://". As long as the most browser will use "http://" as the default or you are using the "HTTPS everywhere" or comparable plugin your users will get a timeout when they try just the hostname in case Port 80 is filtered.
The "Cool Solution" for Let's Encrypt is now able to deal with the forced redirection as described above.
If you want additional security you can enable HSTS.
Everything else is making things more complex with just little extra security but the loss of convinience..
This problem is IMO independent from Let's encrypt and Port 80.
- change the UCRV
- restrict access to certain sites using .htaccess and "Allow From ..." rules.
Both methods are already discussed here as well as the HSTS topic.