The practical problem that I think you’re alluding to is that it only supports one plugin per cert; a plugin can support as many challenge types as it chooses to, but we don’t have any existing plugins that directly support both DNS-01 and HTTP-01.
The exception to this is that
--manual can do it. In particular if you use
--manual --preferred-challenges http with a mixed wildcard and non-wildcard request, it should attempt to use DNS-01 for the wildcard (because the CA insists on it) and HTTP-01 for the non-wildcard (because the user prefers that). The disadvantage here is that the challenges probably would be satisfied manually by the user and automated renewal wouldn’t be available. However, writing an authenticator hook script could automate this process if you have the ability to perform tasks to satisfy both challenge types from your own script.
This is definitely a bit of a nuisance, but it’s an existing option with Certbot.