Currently Certbot (the program that you’re using with its old name
letsencrypt) doesn’t have an option to add or remove a name, although we plan to add one¹. What you have to do is request a certificate that contains all the names that you want, and then Certbot will replace the old certificate with the newly-issued one. @_az’s suggestion to use multiple
-d options is right: you have to request the certificate to cover both the www and the base domain.
If you want to test with
--dry-run, you can add
certonly and then the test should go ahead.
¹ I mean, you can add and remove names by giving a different list of names that the certificate should cover, but there is no option dedicated to performing this specific task, without also requiring you to list all of the names that you want in the cert.