Hi,
I already succeeded to expand an existing domain , see Webroot --expand : a user error or a doc error? . But this time : no way
I have a ssl for : blog.example.org,ostatus.example.org,example.org,www.example.org . Working
I need to update ostatus to last gnusocial (because using an alpha in prod is always take a risk 
).
I ran this command:
/root/bin/certbot-auto certonly \
--expand \
--email denis@example.org --user-agent letsencrypt --webroot \
-w /home/example.org/htdocs/www/spip -d www.example.org \
-w /home/example.org/htdocs/blog -d blog.example.org \
-w /home/example.org/htdocs/ostatus -d ostatus.example.org \
-w /home/example.org/htdocs/www/spip -d example.org \
-w /home/example.org/htdocs/static -d static.example.org
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.org
http-01 challenge for blog.example.org
http-01 challenge for ostatus.example.org
http-01 challenge for example.org
Using the webroot path /home/example.org/htdocs/static for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0040_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0040_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.example.org/fullchain.pem. Your cert
will expire on 2017-04-13. To obtain a new or tweaked version of
this certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
*This seems OK , but look again : no static.example.org in the list, and the keychain stay for other domain only …
OS: Debian wheezy with security.debian.org
web server : apache 2
In ssh.
If i try with dry-run :
# /root/bin/certbot-auto certonly --expand \
> --staging \
> --email denis@example.org --user-agent letsencrypt --webroot \
> -w /home/example.org/htdocs/www/spip -d www.example.org \
> -w /home/example.org/htdocs/blog -d blog.example.org \
> -w /home/example.org/htdocs/ostatus -d ostatus.example.org \
> -w /home/example.org/htdocs/www/spip -d example.org \
> -w /home/example.org/htdocs/static -d static.example.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: www.example.org, blog.example.org, ostatus.example.org, example.org). We will not do that unless you use the --break-my-certs flag!
Then i really didn’t understand … seems it don’t found the static.example.org in the list …
Thanks 
PS : trying different combination , new domain at start , at end etc …
An exemple :
# /root/bin/certbot-auto certonly \
> --expand --dry-run \
> --email denis@example.org --user-agent letsencrypt --webroot \
> -w /home/example.org/htdocs/static -d static.example.org \
> -d www.example.org \
> -d blog.example.org \
> -d ostatus.example.org \
> -d example.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.org
http-01 challenge for blog.example.org
http-01 challenge for ostatus.example.org
http-01 challenge for example.org
Using the webroot path /home/example.org/htdocs/static for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0046_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0046_csr-certbot.pem
IMPORTANT NOTES:
- The dry run was successful.
)