Do you accept to intervene directly on my server ?
I spent 2 days on this issue without a single step forward.

Do you know where the vhost config files are?
Do you know which one cover that name for port 443?

Both
kreator.ch.conf
kreator.ch-ssl.conf
are in /etc/apache2/sites-available

kreator.ch-ssl.conf covers 443

Does it contain a line with “DocumentRoot” ?

Yes
DocumentRoot /var/www/kreator.ch/piblic_html

Sorr piblic -> public

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com

    ServerAdmin mathias.zajaczkowski@ubik.ch
    ServerName kreator.ch
    ServerAlias www.kreator.ch
    DocumentRoot /var/www/kreator.ch/public_html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

Include /etc/letsencrypt/options-ssl-apache.conf
JkMount /* ajp13_worker
SSLCertificateFile /etc/letsencrypt/live/www.kreator.ch/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.kreator.ch/privkey.pem

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

That is the same as already used:
certbot run -a webroot -i apache -w /var/www/kreator.ch/public_html -d www.kreator.ch -d kreator.ch

Please show:
ls -l /var/www/kreator.ch/public_html/.well-known/acme-challenge/

total 4
-rw-r–r-- 1 mathias ubik 1652 Jan 29 16:45 1234
root@vserv2200.swisslink.ch:/etc/tomcat7#

I can't reach the 1234 file:
wget http://kreator.ch/.well-known/acme-challenge/1234
wget http://www.kreator.ch/.well-known/acme-challenge/1234
wget https://kreator.ch/.well-known/acme-challenge/1234
wget https://www.kreator.ch/.well-known/acme-challenge/1234

All fail

This needs to be looked into more closely...

Please show:
sudo netstat -pant

The 1234 file was created manually for Juergen check

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 546/postgres
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 932/exim4
tcp 0 0 0.0.0.0:50683 0.0.0.0:* LISTEN 377/sshd
tcp 0 0 127.0.0.1:5432 127.0.0.1:58629 ESTABLISHED 951/postgres: mathi
tcp 0 464 94.103.101.200:50683 86.111.136.181:19711 ESTABLISHED 5535/sshd: mathias
tcp 0 0 127.0.0.1:55244 127.0.0.1:8009 ESTABLISHED 2524/apache2
tcp 0 0 127.0.0.1:5432 127.0.0.1:58628 ESTABLISHED 950/postgres: mathi
tcp 0 0 127.0.0.1:5432 127.0.0.1:58627 ESTABLISHED 944/postgres: mathi
tcp 0 0 127.0.0.1:55241 127.0.0.1:8009 ESTABLISHED 2524/apache2
tcp 0 0 127.0.0.1:55240 127.0.0.1:8009 ESTABLISHED 2525/apache2
tcp 0 0 94.103.101.200:50683 86.111.136.181:10803 ESTABLISHED 3720/sshd: mathias
tcp 0 0 127.0.0.1:55242 127.0.0.1:8009 ESTABLISHED 2525/apache2
tcp 0 0 127.0.0.1:55245 127.0.0.1:8009 ESTABLISHED 2525/apache2
tcp 0 0 127.0.0.1:55243 127.0.0.1:8009 ESTABLISHED 2524/apache2
tcp6 0 0 :::5432 :::* LISTEN 546/postgres
tcp6 0 0 :::25 :::* LISTEN 932/exim4
tcp6 0 0 :::443 :::* LISTEN 571/apache2
tcp6 0 0 :::50683 :::* LISTEN 377/sshd
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 478/java
tcp6 0 0 :::8009 :::* LISTEN 478/java
tcp6 0 0 :::8080 :::* LISTEN 478/java
tcp6 0 0 :::80 :::* LISTEN 571/apache2
tcp6 0 0 94.103.101.200:80 46.229.168.144:42042 TIME_WAIT -
tcp6 0 0 127.0.0.1:8009 127.0.0.1:55240 ESTABLISHED 478/java
tcp6 0 0 127.0.0.1:8009 127.0.0.1:55244 ESTABLISHED 478/java
tcp6 0 0 94.103.101.200:443 46.229.168.140:25520 TIME_WAIT -
tcp6 0 0 94.103.101.200:443 46.229.168.138:9414 TIME_WAIT -
tcp6 0 0 127.0.0.1:58629 127.0.0.1:5432 ESTABLISHED 478/java
tcp6 0 0 94.103.101.200:80 46.229.168.150:64648 TIME_WAIT -
tcp6 0 0 94.103.101.200:80 46.229.168.149:22574 TIME_WAIT -
tcp6 0 0 127.0.0.1:58627 127.0.0.1:5432 ESTABLISHED 478/java
tcp6 0 274 94.103.101.200:443 46.229.168.140:42782 ESTABLISHED 2524/apache2
tcp6 0 0 94.103.101.200:80 46.229.168.150:35826 TIME_WAIT -
tcp6 0 0 94.103.101.200:80 46.229.168.142:65202 TIME_WAIT -
tcp6 0 0 127.0.0.1:58628 127.0.0.1:5432 ESTABLISHED 478/java
tcp6 0 0 127.0.0.1:8009 127.0.0.1:55241 ESTABLISHED 478/java
tcp6 0 0 94.103.101.200:443 46.229.168.152:45978 TIME_WAIT -
tcp6 0 0 127.0.0.1:8009 127.0.0.1:55242 ESTABLISHED 478/java
tcp6 0 0 127.0.0.1:8009 127.0.0.1:55243 ESTABLISHED 478/java
tcp6 0 0 94.103.101.200:443 178.192.194.166:60186 ESTABLISHED 2525/apache2
tcp6 0 0 127.0.0.1:8009 127.0.0.1:55245 ESTABLISHED 478/java
tcp6 0 0 94.103.101.200:443 46.229.168.142:56996 TIME_WAIT -
tcp6 0 0 94.103.101.200:80 46.229.168.149:22388 TIME_WAIT -
tcp6 0 0 94.103.101.200:80 46.229.168.139:17328 TIME_WAIT -

Yes I read that.
But the Internet can’t reach it.
And that is the location where the auth files will be placed.
They won’t be reached either

That boils down to:
tcp6 0 0 :::443 :::* LISTEN 571/apache2
tcp6 0 0 :::80 :::* LISTEN 571/apache2

So Apache is listening on both 80 and 443.
Nothing mysterious there…

That’s the way it is defined in the 2 apache2 conf files.
Is it wrong ?

Please show:
top -i

tomcat7
postgres
root
www-data

But that didn't work.

So this isn't your webroot or it's not your server instance.