The script below outlines how to generate and use a letsencrypt cert with dotCMS running from tomcat on AWS linux
# Creating a multi domain letsencrypt cert for dotcms on AWS Linux
# Assumes dotCMS ROOT is running under /op/dotcms/dotserver/tomcat-8.0.18/webapps/ROOT
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo yum install python26-virtualenv.noarch
cd /op/dotcms/dotserver/tomcat-8.0.18/webapps/ROOT
sudo ./certbot-auto --debug -v certonly -d www.dotcms.com -d test.dotcms.com -d demo.dotcms.com -d auth.dotcms.com
# at this point, certs in .pem form will be saved under: /etc/letsencrypt/live/www.dotcms.com/fullchain.pem
cd /etc/letsencrypt/live/www.dotcms.com/
# The next step is to use openssl and java's keytool that comes with the jdk to convert the .pem formated certs to java jks format
# the keytool was not in my path so I had to hunt for it in JAVA_HOME and add it to my path
sudo ln -s /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/keytool /usr/bin/
# then convert the pem to an intermediate pkcs12
sudo openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root
# then from that to a java .jks
sudo keytool -importkeystore -deststorepass PASSWORD -destkeypass PASSWORD -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD -alias tomcat
# add the CA chain
sudo keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks
#After that you can add the SSL connector to your tomcat/conf/server.xml
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
This connector uses the NIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
-->
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/etc/letsencrypt/live/www.dotcms.com/MyDSKeyStore.jks" keystorePass="PASSWORD" keyAlias="tomcat" keyPass="PASSWORD"
clientAuth="false" sslProtocol="TLS" />