First off, there are a multitude of ways to get a certificate from Let’s Encrypt, between applications you run locally on the machine to websites that can help you do the process manually. Ideally, this should be as automated as possible, so the manual setup is more of a last resort. Nobody wants to have to do that every three months! Let’s Encrypt uses a specification called ACME to issue certificates (Automated Certificate Management Environment), which will be referenced a lot here. It’s just the way to talk to Let’s Encrypt.
I’d recommend having a look at the ACME Clients List and picking a Windows version that looks like it might work for you. Full disclosure, I’m not as well-versed on the Windows side of ACME clients, so I don’t have any specific recommendations. I do believe most of these are geared towards IIS, as that’s a more “standard” web server to run on Windows, as it’s the actual Windows web server, but I suspect that some of these work with Tomcat as well. Look at their docs to be sure!
Now, there are three ways to verify the possession of your domain name to Let’s Encrypt. Two of these require something to happen on your web server, and one requires something to happen in your DNS. Most likely, you’ll want to use the http-01 challenge type, which requires your web server being able to serve a specifically named text file with some particular contents from the .well-known/acme-challenge directory. For example, if the challenge file was named
gGg43g4t4gfdgfhgTV23, Let’s Encrypt would attempt to retrieve the URL
http://info.finwoks.com/.well-known/acme-challenge/gGg43g4t4gfdgfhgTV23. Do note that if you issue a certificate for multiple domains/subdomains (e.g. finwoks.com and info.finwoks.com), each of those will have its own challenge file that must be served. There is one potential issue here for your setup, and that is the fact that this challenge type must go over port 80. You can redirect to 8080 internally, but it must be accessible to the public internet on port 80.
The other challenge type that requires the web server to do something is the tls-sni-01 challenge, but I don’t believe that’s well-supported on Windows/Tomcat yet, so we won’t go into it besides to note that it requires access to your server on port 443.
Finally, the last challenge type doesn’t access your webserver at all, but rather issues a DNS query for a specially named TXT record, and expects a response with a specific string. This often needs to be done manually, unless your DNS provider happens to have some form of API access for management, and you use an ACME client that can integrate with that API.
This is all covered in more depth in various pieces of documentation, but hopefully this gets you started down the right path!