renew command will renew your cert but won't install it in your keystore, you need to do it manually or you can automate it in the renew process but you should provide a script to perform the needed steps to recreate your keystore with the new cert and reload your tomcat.
You are using Nio Protocol so you can't use this directive
SSLCertificateFile, this is only valid for APR Protocol.
First you need to renew your cert but you already did, the problem here is that you have generated several certs
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
141619623 gpsowl.com 2017-May-21 03:03 CEST 2017-Aug-19 03:03 CEST 88 days gpsowl.com
140104828 gpsowl.com 2017-May-18 04:12 CEST 2017-Aug-16 04:12 CEST 85 days gpsowl.com
133064925 gpsowl.com 2017-May-05 03:13 CEST 2017-Aug-03 03:13 CEST 72 days gpsowl.com
So you need to identify which is the right one, I think is the one containin domain and ww domain. I suppose that the right cert containing both domains is located at
/etc/letsencrypt/live/gpsowl.com/ and the cert containing only your domain is located at
To identify how many domains contains your cert can use this:
echo | openssl x509 -in /etc/letsencrypt/live/gpsowl.com/cert.pem -noout -text | grep DNS:
echo | openssl x509 -in /etc/letsencrypt/live/gpsowl.com-0001/cert.pem -noout -text | grep DNS:
Once you have identified the right cert, you need to recreate the keystore with the new key and cert.
0.- Create a dir to store your keystore, I'm using
/etc/tomcat8/keystore/ for this example, you should use the path that you want.
mkdir -p /etc/tomcat8/keystore/
1.- Create a pkcs12 store (change HERETHEPASSWORD with the password you want):
openssl pkcs12 -export -in /etc/letsencrypt/live/gpsowl.com/fullchain.pem -inkey /etc/letsencrypt/live/gpsowl.com/privkey.pem -out /etc/tomcat8/keystore/gpsowl.com.p12 -password pass:HERETHEPASSWORD
2.- Import pkcs12 store into a keystore (change HERETHEPASSWORD with the password used in previous command):
keytool -importkeystore -srckeystore /etc/tomcat8/keystore/gpsowl.com.p12 -srcstoretype pkcs12 -srcstorepass HERETHEPASSWORD -destkeystore /etc/tomcat8/keystore/gpsowl.com.keystore -deststoretype jks -deststorepass HERETHEPASSWORD
3.- Configure your tomcat to use the right keystore and pass:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" URIEncoding="UTF-8"
clientAuth="false" sslProtocol="TLS" />
4.- Restart or reload your tomcat.
I hope this helps.