Tomcat8 doesn't detect Letsencrypt renewed certificate (but Apache does)

Question

I have an Ubuntu 17.10 Server with Apache 2.4.27 and Tomcat 8.5.21, both serving through HTTPS thanks to a Letsencrypt Certificate. It's been working fine for 3 months and automatic renewal (with default cron) worked. But after the original expiration date, my Apache is still working fine using the renewed certificate, but Tomcat8 is still using the expired certificate, so I get the Insecure Connection warning on my browser.

I tried force-reload on my Tomcat8 service and even rebooting the whole server without success.

This is my Tomcat8 configuration for SSL on server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLSv1.2" keyAlias="tomcat"
    keystoreType="JKS"
    keystoreFile="/etc/letsencrypt/live/example.com/MyDSKeyStore.jks"
    keystorePass="PASSWORD" />

If I try:

openssl s_client -connect 127.0.0.1:443 -showcerts

I see my Apache, effectively using the renewed certificate, but for Tomcat8, on port 8443:

openssl s_client -connect 127.0.0.1:8443 -showcerts 

[...] verify error:num=10:certificate has expired [...]

Any idea on how can I make my Tomcat use the renewed certificate?

Update:

Thanks to comments, I've seen that the Tomcat keystore on /etc/letsencrypt/live/example.com/MyDSKeyStore.jks was not touched by the renewal. So I guess the real problem here is how to automatically update this file when my certificate renews.

Answer 1

Standard Let's Encrypt certbot doesn't support JKS key store format, so your /etc/letsencrypt/live/example.com/MyDSKeyStore.jks file was created manually and needs to be updated after each renewal. You can try using certbot renew --deploy-hook to do this, check its documentation for details.