letsencrypt offers free HTTPS certificates with the limitation that you need to set them up to auto renew every ~3 months. Below are some example scripts that last of which should be called from cron.
Settings
DOMAIN=noodle.example.com
EMAIL=me@example.com
PASS=example
DIR=/opt/Noodle/ACME
JKS=/opt/Noodle/noodle.jks
Initialize
. /opt/Noodle/settings.sh
apt install -y certbot
systemctl disable certbot
mkdir $DIR
certbot register --agree-tos --no-eff-email -m "$EMAIL"
certbot certonly --webroot \
--webroot-path $DIR \
--cert-name "$DOMAIN" \
-d "$DOMAIN"
/opt/Noodle/convert.sh
Convert
. /opt/Noodle/settings.sh
P12=$(mktemp)
rm -f "$JKS"
openssl pkcs12 -export \
-in /etc/letsencrypt/live/"$DOMAIN"/cert.pem \
-inkey /etc/letsencrypt/live/"$DOMAIN"/privkey.pem \
-certfile /etc/letsencrypt/live/"$DOMAIN"/fullchain.pem \
-name "$DOMAIN" \
-out "$P12" \
-password "pass:$PASS"
keytool -genkeypair \
-alias temp \
-storetype JKS \
-keystore $JKS \
-storepass "$PASS" \
-keypass "$PASS" \
-dname "CN=temp, OU=temp, O=temp, L=temp, S=temp, C=CA"
keytool -delete \
-alias temp \
-keystore $JKS \
-storepass "$PASS"
keytool -importkeystore \
-srckeystore "$P12" \
-srcstoretype pkcs12 \
-destkeystore $JKS \
-deststoretype JKS \
-srcstorepass "$PASS" \
-deststorepass "$PASS"
rm "$P12"
Renew
. /opt/Noodle/settings.sh
certbot renew --webroot \
--webroot-path $DIR \
--cert-name "$DOMAIN" \
--deploy-hook /opt/Noodle/convert.sh
Currently Noodle must be restarted to reload the keystore.