The script below outlines how to generate and use a letsencrypt cert with dotCMS running from tomcat on AWS linux
# Creating a multi domain letsencrypt cert for dotcms on AWS Linux # Assumes dotCMS ROOT is running under /op/dotcms/dotserver/tomcat-8.0.18/webapps/ROOT wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto sudo yum install python26-virtualenv.noarch cd /op/dotcms/dotserver/tomcat-8.0.18/webapps/ROOT sudo ./certbot-auto --debug -v certonly -d www.dotcms.com -d test.dotcms.com -d demo.dotcms.com -d auth.dotcms.com # at this point, certs in .pem form will be saved under: /etc/letsencrypt/live/www.dotcms.com/fullchain.pem cd /etc/letsencrypt/live/www.dotcms.com/ # The next step is to use openssl and java's keytool that comes with the jdk to convert the .pem formated certs to java jks format # the keytool was not in my path so I had to hunt for it in JAVA_HOME and add it to my path sudo ln -s /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/keytool /usr/bin/ # then convert the pem to an intermediate pkcs12 sudo openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root # then from that to a java .jks sudo keytool -importkeystore -deststorepass PASSWORD -destkeypass PASSWORD -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD -alias tomcat # add the CA chain sudo keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks #After that you can add the SSL connector to your tomcat/conf/server.xml <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> --> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/etc/letsencrypt/live/www.dotcms.com/MyDSKeyStore.jks" keystorePass="PASSWORD" keyAlias="tomcat" keyPass="PASSWORD" clientAuth="false" sslProtocol="TLS" />