From your output from netstat it says that the Java engine is the program with an open tcp port not httpd or Apache. You don’t need to have the same port for certificate use as you do when setting up the certbot authentication, however certbot needs to be run once every 6 months.
The main problem you are having is with understanding what exactly a SSL issued by a trusted authority entails. The SSL certificate is coded with a DNS address that lets the client know that it is on the right server, and not being hacked. In order for an authority to grant an SSL cert for a DNS address, you must first have a valid DNS address that can be looked up through a public DNS server.
Yes I could make a DNS entry for say iown.google.com, and enter that with my local IP address into my router’s /etc/hosts file and use it as a working DNS address LOCALLY, however an authority can not access that URL because it doesn’t exist.
So first you need to set up a DNS address with someone like Google domains, GoDaddy, Amazon, etc etc
After you have that done, you need to set it up for whatever external to your network IP address can be used to access your internal server. Your internal server may be 10.0.0.100, but your network has an external IP address and your router can forward port 80 and 443 to 10.0.0.100.
So second, you need to have your server accessible from the outside world, and it will need to be this way every six months for the certbot to work. If it doesn’t have a world accessible IP address, than port forward through your main networking router etc etc, they do not put out a list of used IP addresses by certbot so this is temporary, again every six months.
Now I know fedora has a default splash screen for Apache web server when nothing is configured, so you must enable Apache (should be already)
systemctl enable httpd
systemctl start httpd
dnf install certbot
The main certbot HTML page says it’s
dnf install certbot-apache
I remember it as just certbot
After this just run the certbot with
This time use the DNS address that you set up with Google domains or whatever, and it should be easy peasy.
After you are done with all of this make sure you remove the external port forwards on the main network router and then add a line in the hosts file of your main network router that is the authoritative DNS server for your network with your paid for DNS name and the internal IP address of the server.
Every 6 months you will have to re-enable the external port forwards run certbot and then remove the external access, along with having to update your dns record with the person you bought the address from if your external IP address has changed.
I think that is it…