You mention the cacert truststore. Is your goal here to have the servers use an SSL server certificate from Let’s Encrypt (so web browsers can be used to access the JIRA) ? Or to have the JIRA be able to achieve trust in some other server, which has certificates issued by Let’s Encrypt, for example a version control server or chat server of some sort ? Or both?
The latter should work “out of the box” with a new enough Java, but otherwise it will usually make sense to add IdenTrust’s CA to the system-wide Java trusted CA store, the same thing that Oracle have done in latest Java and there are existing guides on how to do that I think.
The rest of this text assumes you need the former, ie to have a JIRA server with a valid SSL certificate.
Firstly, be sure your JIRA server has a Fully Qualified Domain Name from the Internet e.g. “jira.example.com” not “jiraserver” or “jiraserver.contoso.corp”. Without that, Let’s Encrypt is not permitted to issue you a certificate. If the JIRA server isn’t accessible from the public Internet (e.g. it’s behind a firewall prohibiting all inbound traffic), but does have an Internet FQDN, you can get certificates but may need to do a bit more work, since you won’t be able to simply run certbot from the Jira server and should research further to ensure you can achieve your goal.
Once you can get a certificate, a lot of http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html probably applies (assuming you have Tomcat 8.5.x), although the “Quick Start” instructions can be ignored unless you first want to see SSL-enabled Tomcat working at all on your system without the Let’s Encrypt valid certificate.
Note that there are separate instructions depending on whether you end up with the Apache Portable Runtime (APR) or the native Java stuff making this go.
The APR stuff works a lot like Apache’s web server, and so the settings for certbot generated certificates will be correspondingly simple, you’ll need the server.xml or equivalent to set
except that obviously the DNS name of your JIRA server needs to go where it says example.com
For native Java, you need to create either a PKCS12 or Java Keystore from those two files, and you will need to redo this step every time certbot renews your Let’s Encrypt certificate (every 2-3 months) so you should develop a script to do it and tell certbot with “hooks” to run that script after renewal.