Let’s Encrypt doesn’t offer wildcard at the current time.
If you’re using a new enough version of certbot (formerly letsencrypt), you can run the exact same command you did but add the extra domain at the end and include “–expand” in the command so it will re-use the existing certificate directory. You can find out more at https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
Alternately, if you’re using an older version of certbot, you can use the --cert-name parameter to force the overwrite of the existing certificate you got. See https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains for more information.
Of course, you can always just make a new certificate for the cdn subdomain.