As a super-tiny correction, we considered having the domains listed in the .conf file, and it is technically possible to list them there, but we ended up deciding against this design and instead choosing to use the existing certificate as the canonical source for what domains should be included when the certificate is renewed. So whenever you run certbot renew, it is actually looking at the existing cert to get the list of domains, even though it looks at the .conf file for many other purposes.