Hello @sahsanu,
Re 1. (removing domain): It’s always nice to hear that someone else has the same issue too, even though it does not help a bit 
I looked at the letsencrypt code and it seems that letsencrypt gets the list of domains not from the .conf file in /etc/letsencrypt/renewal, but from the certificate itself. So as it stands, until there is an explicit option to tell letsencrypt to remove a SAN domain from a multidomain certificate, what I want to do will not be possible.
Re 2. (adding domain): Yes, I noticed that and it worked nicely for me for quite some time too. Note that according to letsencrypt-auto --help all, --expand is automatically assumed when using the --renew-by-default option (but it’s perhaps better to be explicit just in case).
Btw., I became enough confident about the problem to create a github issue for my problem: https://github.com/letsencrypt/letsencrypt/issues/2071