redirects from port 80 for the authorization domain are allowed to port 80/443 of another domain (not bare IP addresses and not any other ports). Any certificates received on 443 are not validated. I don’t know that we have that documented anywhere user-facing but you can verify it is true experimentally and with the Boulder sourcecode for the Let’s Encrypt validation authority (VA).
https://community.letsencrypt.org/t/question-regarding-self-signed-certificate-and-http-01-challenge/74469/3