Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It would be helpful to see the Certbot command that you ran and the output.
Most straightforward methods of getting certificates with Certbot expect you to run Certbot on the machine that the DNS record points to, and only request names in your certificate that point to that machine. In this case you would usually want to get separate certificates for the main domain and subdomain, perhaps by running Certbot separately and independently on two different machines. This is perfectly valid to do.
It's hard to advise further without seeing specific commands and error messages.
The problem is that I want to add subdomains for my dns and mail servers to an existing certificate but they are actively using different IPs so I can't change them to point the the my webserver; however, you gave me the info I need. Apache is available on the mail and dns servers so I'll create and run instances that serve no content other than .well-known, adjust the firewall, and rerun certbot.
Certbot can also spin up a temporary webserver with the --standalone authenticator plugin, so Apache is not really necessary if you don't use it for any other purpose.