To supply an SSL certificate for all my domains hosted on this server, I used Let's Encrypt and generated one certificate for the whole server which included all domains hosted there. I currently rent a second dedicated server from Hetzner and instead of ordering a new domain, I took one of the unused ones I already have. Now this domain was configured on my main server when I generated the certificate. I changed the DNS entry for qatal.de and everything worked. Since qatal.de does not have a web presence at the moment, I never configured https there.
When the main server's certificate came up for automatic renewal, Let's Encrypt tried to verify that the web presence of qatal.de was still available at the previous DNS address (the one of the main server). Certificate renewal failed completely.
Then I discovered that currently (2017-04) there is no easy way to extract one domain from a certificate before renewal. Editing the renewal config file and removing the domains did not help - it still checked for them. Disabling the apache-hosted vhosts did not help - it now complained about those.
I decided to do 2) and created reddit.qatal.de for the second server. If I had needed to move a more important domain like dewarim.de to a new server, I would have to use solution 1.
Option 3 is certainly better, but replacing system packages on Ubuntu 16.04 will probably break automatic updates for letsencrypt. If I install my own newer version, I have to be on the lookout for updates, because Ubuntu will no longer manage this for me. Seems like a problem for security related packages...
Generally it seems like a better idea to create separate certificates for each domain separately, but that may be slightly more work (needs a list of domains and a bash loop ;) ).