Nuts
All of the web (http) servers can go on let's encrypt so they are being renewed automatically.
All the rest need their certs installing manually. That one component where you have to uninstall it and then reinstall to update the cert. The tomcat containers that want the cert dropped into a folder with a specific name. Some want a pfx, some want the CA chain and the cert separately some want it all bundled together. Binary certs, base64 certs.
Glad I'm not the one responsible for that any more.