I have a “potential” workaround
[if we can call it that]
But it has some “challenges”…
Hurdle number one:
Figure out where the document root is for your Tomcat installation, then you could use it this way: certbot certonly --webroot -w /that/tomcat/root/path
to get a cert.
Hurdle number two:
Figure out where to use the cert in your Tomcat installation.
I have never had much luck with Tomcat.
I would sooner throw an NGINX proxy in front of it and call it a day than try to beat it into submission.
But who knows… you might be smarter/luckier/younger/taller/richer/leaner/better looking than me OR just happen to know someone who is just enough of whatever it takes to make this all work in Tomcat.
If you do happen to get it to work in Tomcat, please share your pixie dust findings so that others may benefit from it.
I probably emphasized too much there and may have inadvertently made those hurdles seem insurmountable - they are not. Whatever my history with Tomcat should not cause you to stray from your intended path. Do stick with it; I’m sure it can be done.
Of course I know the document root.
/home/tomcat/webapps/ROOT
‘certbot certonly’ asks at startup if you want to use ‘standalone’ or ‘webroot’ unfortunately both fail.
In Tomcat you need to set (temporarily) listings to true and allow directory listing access to directory
(/home/tomcat/webapps/ROOT)/.well-known
The Let’s Encrypt certificate needs to be converted to p12 and set in a tls connector in the Tomcat server.xml.
That is in short how you can do it within Tomcat.
In the renewal process certbot places a file in directory '/home/tomcat/webapps/ROOT/.well-known/acme-challenge/file-name
That file is to be read by letsencrypt to validate the certificate renewal request as http://cebuned.vdhdn.nl/.well-known/acme-challenge/file-name
But judging the Tomcat access logs Let’s Encrypt does not try to read that file or any other url on my web site.
Domain: cebuned.vdhdn.nl
Type: connection
Detail: Fetching http://cebuned.vdhdn.nl/.well-known/acme-challenge/WKyZj79xh0wTqA8NfrJzrpaYjiQnETLjL1ffaRxQfdk: Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.