It’s really no rocket science, I can just never remember it exactly. So here it is:

  1. I sometimes have to find the path for certbot is it doesn’t get set for the “root” (assuming certbot is installed):
    which certbot
    sudo su
    export PATH=<certbotpath>:$PATH
    
  2. assuming you’re root (or other account with necessary privileges):
    certbot renew
    
  3. if you have/get a new certificate, you can do the “tricky part”
  4. change workind directory to a folder with the new certificate cd /etc/letsencrypt/live/<site>
  5. first we need to create a PKCS12/PFX file containing the new private key and certificates (intermediary password is “password”):
    openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out server.p12 -name tomcat
    

    Note: initially, we suggested “-in cert.pem -CAfile chain.pem ….”, which doesn’t include the chain to the P12 file.

  6. the next is to convert the PKCS12 file into a JKS Java keystore:
    keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /etc/usrMgmt/onetimekeystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password -alias tomcat
    
  7. restart the Tomcat app, if it needs restarting to pick-up the new SSL certificate
  8. clean up - delete the temporary JKS file
  9. A note of caution - it may be the case that configuration files are wrapped in a jar file. (Just in case you can’t find any and have been banging your head against your deck for the last 2 days :)

Note: we keep our Tomcat apps in the /opt/ folder, I believe that "onetimekeystore.jks" is somewhat default name, but adjust as you need (just find an existing "*.jks" file). The "tomcat" alias and the password "password" is a more-less default value as well - you should certainly consider changing the password - it must be done in your Tomcat app as well (or its configuration file)!