Wow! Such broken. I was starting to get suspicious of openssl myself. Poor documentation about the rules on context switching and whether doing things in a certain order should trigger callbacks.
At least you can get a cert when the ALPN / ACME certificate (and DEFAULT?) is the only one provided by twisted. If the several attempts they make came from the same IP address that might be one way to hack it.
If it gets that bad I'll put the ClientHello regex next to the regex-based pkcs parser from my rsalette library :)
Fixing the http-01 challenge is a very rational suggestion.