Let’s simplify your commands and configuration a little bit.
Begin in the Tomcat directory:
cd /opt/tomcat/
Define which certificate we’re working with:
export CERT_DOMAIN=spendwithfriends.com
Convert from Certbot PEMs to PKCS#12:
openssl pkcs12 -export -out $CERT_DOMAIN.p12 \
-in /etc/letsencrypt/live/$CERT_DOMAIN/fullchain.pem \
-inkey /etc/letsencrypt/live/$CERT_DOMAIN/privkey.pem \
-passout pass:changeit
Then convert from PKCS#12 to JKS:
rm -f $CERT_DOMAIN.jks && keytool -importkeystore \
-destkeystore $CERT_DOMAIN.jks \
-srckeystore $CERT_DOMAIN.p12 -srcstoretype PKCS12 \
-deststoretype JKS -srcstorepass changeit -deststorepass changeit
Then configure a connector in Tomcat (Tomcat 9 in this case). Note, the absence of the keystore password below only works if you leave the above passwords as changeit:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="spendwithfriends.com.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
While Tomcat is running, check that it is serving the certificate:
openssl s_client -connect localhost:8443 -showcerts | openssl x509 -noout -subject -issuer -dates
Assuming you see your certificate’s details appear, that’s all working. Any remaining problems, you can blame on your iptables DNAT.
Edit: I noticed you’re using Tomcat 8, so I’ve also tested these instructions on Tomcat 8.5.43.