Please see Apache reverse-proxy SSL to multiple server applications for an alternative (my preferred) solution to implementing SSL in a way that can work with any server application.
Setup guide when you need to use cert-bot auto and a tomcat java keystore. Note this assumes are running some flavour of Linux.
These guidelines are adapted from this excellent Vaadin guide here (p.s. I 
Vaadin !).
Download and install certbot-auto
Download latest version of certbot-auto:
sudo wget https://dl.eff.org/certbot-auto
Install (note this is optional and you can run from where you downloaded if you want):
sudo cp certbot-auto /usr/bin/certbot-auto sudo chmod a+x /usr/bin/certbot-auto sudo certbot-auto
Obtain certbot-auto certificate
sudo certbot-auto --no-bootstrap certonly --standalone --preferred-challenges tls-sni -d <sub.domain.com>
Convert certificate to PKCS12
Change to letsencrypt directory for SSL sub/domain you obtained, e.g.
sudo su cd /etc/letsencrypt/live/<sub.domain.com>
Note: above is an example from the confluence cert path.
Convert cert-bot auto to pkcs12 format:
sudo openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat -passout pass:<PASSWORD>
Note: replace <PASSWORD> with a secure password string.
Import to .keystore (and create keystore):
sudo keytool -importkeystore -deststorepass <PASSWORD> -destkeypass <PASSWORD> -destkeystore .keystore -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass <PASSWORD> -alias tomcat
Note: replace <PASSWORD> with the secure password string you created in the previous step.
This creates the .keystore files in the current directory. You may need to copy this to another (expected) location.
Usually you may need to copy the .keystore file (for referencing) to the user folder of user who runs apache. You can find the user by:
ps auxwww | grep tomcat
Then can do '>id 501' if see user id 501.
References
Related articles