So, to report back the issues I have, when I run
certbot --expand -d sales.existingdomain.com -d sales.newdomain.com
I get this:
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for sales.existingdomain.com
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
And it fails.
If I run:
certbot certonly -d sales.existingdomain.com -d sales.newdomain.com
I get this and I do not know what to select as I do not want to enter a new webroot.
Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sales.existingdomain.com
http-01 challenge for sales.newdomain.com
Select the webroot for sales.existingdomain.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): c
Cleaning up challenges