I don't think the --apache plugin supports Tomcat syntax. Do both of your failing domains have the JkMount statement? Do the ones that work have that?
I think in the long-run you would be better off using the --webroot option with Tomcat. The --webroot will not read or update your Tomcat config at all. Which also means you need to manually make the port 443 VirtualHosts. Use the ones you already have as a template for new ones. There is also Mozilla's configurator (Certbot follows that configurator too). https://ssl-config.mozilla.org/ Avoid HSTS and Stapling until you fully understand what those do. Can easily cause trouble.
You can test --webroot for camera with
sudo certbot certonly --dry-run --webroot -w /var/www/app -d camera.wiki.br
If that works remove --dry-run and add --deploy-hook to reload Tomcat when you get a fresh cert like
sudo certbot certonly --webroot -w /var/www/app -d camera.wiki.br --deploy-hook 'Tomcat-Command'
Where Tomcat-Command is whatever you need for a graceful reload of Tomcat
Also refer to this thread for suggestions on setting up port 80 VirtualHost for redirects and HTTP Challenge.