Having (I hope) solved my problems with mutually independent httpd and Tomcat servers on an Amazon Linux ("not 2") instance, I now have a situation in which I do want Tomcat running behind an existing, running, httpd, on an Amazon Linux 2 instance that's already obtaining a Let's Encrypt cert via certbot. But the last time I experimented with this one (several months ago, like the one I finally got working with Lego), I had a fair amount of trouble getting it even partially functional, and something I did badly screwed up the auto-renewal, which we didn't find out about until the cert expired on us.
Here is the (actual names and IP addresses redacted) httpd conf file I added, to provide the virtual host for the new subdomain. It makes no difference to me whether browser requests sent to port 80 get redirected to https or not; the important part is that (1) Certbot and Let's Encrypt can see and do what they need to, (2) users can reach all webapp contexts on the Tomcat server, including ROOT, and (3) only the specified IP addresses can see manager and host-manager.
Is there anything obvious that I'm doing wrong?
<VirtualHost *:80>
ServerName xyweb.frobozz.com
DocumentRoot /var/www/html/test
ServerAdmin [email protected]
<Directory /var/www/html/test>
AllowOverride All
</Directory>
# RewriteEngine on
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName xyweb.frobozz.com
DocumentRoot /var/www/html/test
ServerAdmin [email protected]
<Location /manager>
Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh
</Location>
<Location /host-manager>
Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh
</location>
ProxyPass "/" "http://127.0.0.1:8080/"
ProxyPassReverse "/" "http://127.0.0.1:8080/"
ProxyRequests Off
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/fizmo.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/fizmo.com/privkey.pem
</VirtualHost>
</IfModule>
Apparently it is, because I finally had time to test it today, and it worked.
I also learned that my whole silly-go-round of a few months ago, trying to add the new subdomain to the existing Let's Encrypt cert and Certbot configuration used by all the other subdomains was a pointless exercise that simply made things harder for me: each subdomain that has its own virtual host on an httpd server can also have its own cert. It also helped that I learned about "certbot renew --force-renewal" today.