Are you sure you want to? If you are proxying back on the loopback interface (127.0.0.1), there doesn't seem to be any real benefit and it will come with the overhead of double TLS handshakes.
Anyway, Tomcat requires certificates and private keys to be packed up in either a Java keystore or a pfx archive. You can read how to do that, and how to configure the Tomcat connector here: Apache Tomcat 8 (8.0.53) - SSL/TLS Configuration HOW-TO
Those instructions are also shown in a Let's Encrypt specific way in this post: Using let's encrypt with tomcat