I can renew a cert like this:
certbot-auto renew --apache
but what parameters do I pass when I want to disable the less secure RC4 and SSL v3?
I would assume the information I need is here, but I can't see it:
https://certbot.eff.org/docs/using.html#command-line-options
Disabling a cipher (RC4) or a protocol (SSLv3) is not done by changing the certificate but by changing the configuration of the web server. The certificate is (mostly) independent of cipher and protocol.
When using apache you would need to adjust the SSLProtocol and SSLCipherSuite configuration options.
