TLS ACME challenge and port 443


We're deploying Traefik v2 in Kubernetes behind a NodePort service on a high container port (8000) which is exposed to the outside world by a load balancer (AWS NLB) on $public_ip:443 and the TLS-ALPN-01 Let's Encrypt challenge doesn't seem to be working. Is there a way to specify the entry point for the TLS challenge, simliar to the HTTP challenge? Or do we need to literally expose 443 on the Traefik pods, then route through the service and NLB as well?