Support you have generate a standalone cert using certbot command, and your cert is in /etc/letsencrypt/live/ . If not, follow this https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-ubuntu-16-04
Execute openssl command and remember your password
openssl pkcs12 -export -out /tmp/tomcat.quantr.hk_fullchain_and_key.p12 \
-in /etc/letsencrypt/live/quantr.hk-0001/fullchain.pem \
-inkey /etc/letsencrypt/live/quantr.hk-0001/privkey.pem \
-name tomcat
keytool -importkeystore \
-deststorepass <password> -destkeypass <password> -destkeystore /tmp/tomcat.quantr.hk.jks \
-srckeystore /tmp/tomcat.quantr.hk_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <password> \
-alias tomcat
cp /tmp/tomcat.quantr.hk.jks /home/tomcat.quantr.hk/apache-tomcat-9.0.29/conf
chmod o-rwx /home/tomcat.quantr.hk/apache-tomcat-9.0.29/conf/tomcat.quantr.hk.jks
Edit tomcat’s conf/server.xml, you just need one connector to serve 8443, no need other conntector
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/tomcat.quantr.hk.jks" certificateKeystorePassword="<password>"
type="RSA" />
</SSLHostConfig>
</Connector>
Restart your tomcat, it is done. Below is the virtualhost to forward https connection from apache to tomcat, this step is optional, only need if you use apache for public facing server.
<VirtualHost *:443>
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /etc/letsencrypt/live/quantr.hk-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/quantr.hk-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPreserveHost On
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
ServerName tomcat.quantr.hk
ErrorLog ${APACHE_LOG_DIR}/tomcat.quantr.hk-error.log
CustomLog ${APACHE_LOG_DIR}/tomcat.quantr.hk-access.log common
</VirtualHost>