It's not a question of what challenge we request to use,
it's a question of what challenges Let's Encrypt sends
back to our request when we submit the csr. It doesn't always
match what we requested.

It will always include a dns challenge for a wildcard
certificate, even if we request  an http challenge. In the case
where I requested a wildcard and the non-subdomain certificate,
it was sending back a dns challenge for the wildcard
and an http challenge for the domain root, even if I submitted
the signing request with auth/acmed -t dns.

The hybrid means "I don't know what the signer is going to request,
so figure it out when I get the challenge."