Append –dry-run to below commands to test.
certbot-auto certonly --webroot -w /path/to/webroot/ -d sub.example.com
Concatenate the newly renewed certificate and private key (lighttpd example):
cat /etc/letsencrypt/live/sub.example.com/privkey.pem /etc/letsencrypt/live/sub.example.com/cert.pem > /etc/lighttpd/qa.pem
Reload webserver.
For expanding the certificate to new subdomains just add the new domain to above command i.e.:
certbot-auto certonly --webroot -w /var/www/example.com/web/webroot --expand -d example.com -d www.example.com