Wildcard certificates are probably the most important answer: they’re not available via HTTP challenge.