Another place the preference may come from is cli.ini, if it exists.
By default, the following locations are searched:
/etc/letsencrypt/cli.ini$XDG_CONFIG_HOME/letsencrypt/cli.ini(or~/.config/letsencrypt/cli.iniif$XDG_CONFIG_HOMEis not set).
Does anything at all mention it in the directory?
grep -RE "(pref_challs|challenges)" /etc/letsencrypt/
Something that might help is running the dry-run with -vvv. If you have a config file set somewhere, it will spit out (early on):
Var pref_challs=tls-sni-01 (set by user).
Var dry_run=True (set by user).
and I'd double check that all of your Certbot packages are in sync with respect to version:
dpkg --list | grep -E "python.?-certbot"