Use a single file to consolidate all FQDNs and their corresponding webroot mappings.
Allow certbot to look for such a file, include the content, and update it as needed.
If an FQDN is NOT in the current webroot mapping “list”, then proceed (as usual) as if it wasn’t in the renewal.conf file.
When --webroot is specifically requested, update all stored webroot settings in that one single file.
As unique FQDNs should be served from unique document roots, it stands to reason that such a global webroot combination would NOT create a conflict.
In the event a conflict should arise, certbot should stop and make it clear to the end user that they have a conflict in there config and that they should correct it before continuing.
– open for discussion –