Certbot add www domain to existing domain certificate

The existing answers are correct, but not everyone may be clear (I wasn't) about what is going on, especially after reading the official certbot docs on the subject.

First you'll want to list your existing certificates, just to be clear on what you have already:

sudo certbot certificates

You'll notice each certificate has a "name". Let's say you have a certificate with a name of example.com, and it has a certificate for the domain example.com as well. You can use the certonly option to just update the certificate, and use the --cert-name option to specify exactly which certificate you are updating. Don't forget to include your existing domain as well as the new domain you are adding.

sudo certbot certonly --cert-name example.com -d example.com,www.example.com

If you trust certbot to figure out the correct certificate (analogous to the "I'm feeling lucky" button Google used to have for searches), it appears you can skip the --cert-name and use --expand instead. This way certbot will find which certificate you are referring to by picking the one that has a subset (a proper subset—the docs say a "strict subset") of the domains you indicate.

sudo certbot certonly --expand -d example.com,www.example.com

In all of these, whether you need --webroot depends on your particular configuration.

UPDATE: You can now do this by passing the --expand flag (see docs):

--expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains.

See this answer for an example.

In short: you can't.

The domains you specify during the initial config become integral parts of the final certificate that is then signed by Let's Encrypt. You can't retroactively change it by adding additional domains or even subdomains as this would undermine its validity.

Solution: start from scratch! (not really a big deal with certbot)

Use this command: certbot modifier --expand, just like the following:

sudo certbot-auto certonly --webroot -w /srv/www/htmlroot/ --expand -d domain1.com -d domain2.com -d www.domain1.com