Tomcat behind httpd, with Let's Encrypt and Certbot -- is my VirtualHost right?

Question

Having (I hope) solved my problems with mutually independent httpd and Tomcat servers on an Amazon Linux ("not 2") instance, I now have a situation in which I do want Tomcat running behind an existing, running, httpd, on an Amazon Linux 2 instance that's already obtaining a Let's Encrypt cert via certbot. But the last time I experimented with this one (several months ago, like the one I finally got working with Lego), I had a fair amount of trouble getting it even partially functional, and something I did badly screwed up the auto-renewal, which we didn't find out about until the cert expired on us.

Here is the (actual names and IP addresses redacted) httpd conf file I added, to provide the virtual host for the new subdomain. It makes no difference to me whether browser requests sent to port 80 get redirected to https or not; the important part is that (1) Certbot and Let's Encrypt can see and do what they need to, (2) users can reach all webapp contexts on the Tomcat server, including ROOT, and (3) only the specified IP addresses can see manager and host-manager.

Is there anything obvious that I'm doing wrong?

 <VirtualHost *:80>
 ServerName xyweb.frobozz.com
 DocumentRoot /var/www/html/test
 ServerAdmin info@frobozz.com
 <Directory /var/www/html/test>
 AllowOverride All
 </Directory>
 # RewriteEngine on
 # RewriteCond %{HTTP_HOST} !^www\. [NC]
 # RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 </VirtualHost>

 <IfModule mod_ssl.c>
 <VirtualHost *:443>
 ServerName xyweb.frobozz.com
 DocumentRoot /var/www/html/test
 ServerAdmin info@frobozz.com
 <Location /manager>
  Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh
 </Location>
 <Location /host-manager>
  Require ip ww.xx.yy.zz aa.bb.cc.dd ee.ff.gg.hh
 </location>
 ProxyPass "/" "http://127.0.0.1:8080/"
 ProxyPassReverse "/" "http://127.0.0.1:8080/"
 ProxyRequests Off
 Include /etc/letsencrypt/options-ssl-apache.conf
 SSLCertificateFile /etc/letsencrypt/live/fizmo.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/fizmo.com/privkey.pem
 </VirtualHost>
 </IfModule>

Answer 1

Apparently it is, because I finally had time to test it today, and it worked.

I also learned that my whole silly-go-round of a few months ago, trying to add the new subdomain to the existing Let's Encrypt cert and Certbot configuration used by all the other subdomains was a pointless exercise that simply made things harder for me: each subdomain that has its own virtual host on an httpd server can also have its own cert. It also helped that I learned about "certbot renew --force-renewal" today.

Answer 2

I see that you commented the lines for communication with letsencrypt with the chart boot for redirect.

 # RewriteEngine on
 # RewriteCond %{HTTP_HOST} !^www\. [NC]
 # RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Did you have problems to renew the certificate? I think you have to edit all the time on renew the certificate, no?

Mine was not working because the SELinux definition, I did to run this command to get working, Apache was no enabled to redirect the communication from 443 to 8080:

sudo semanage port -m -t http_port_t -p tcp 8080