Not sure about this, but I think Let’s Encrypt doesn’t want to publish the IP ranges they use for verification, since they might change (which could silently break renewal for a large number of users if they’d encourage LE-specific firewall rules). There might have even been plans to send one of the verification requests via tor to make it harder to spoof the challenge, IIRC.
I believe tls-sni-01 is used by the standalone and apache plugins (documented here). Standalone mode would require stopping your web server, after which the client spawns a temporary web server on port 443 to complete the challenge. I’m not sure if you can avoid the downtime with tls-sni-01.
The challenge types are documented on a protocol level in this IETF draft document. Not all that relevant though, unless you wan to write your own client.
There are some alternative clients as well.