So your host gets your certificates from Let’s Encrypt for you? It’s kind of hard to automate then. That’s important because it will need to be done at least every three months.
If you can configure and restart tomcat you must be able to run openssl somehow though, if nothing else every time tomcat is started.