Hi @gerryscat
The fact that you were using a PEM as the keystore files makes me suspect you don’t quite understand how Java Key Stores Work
There is a fairly detailed walk through here: Using LetsEncrypt Certificates on Tomcat 8.x on Windows
Generally it’s a good idea to answer all the questions in the help section as it helps narrow down the root cause
I suspect this is what has happend
A) You have issued a new certificate for your domain (cannot verify this without your domain name)
B) Certbot has created the key and certificate in the usual location
C) You have not created the keystore out of those certificates in b
D) You have not applied your keystore to Tomcat
E) You have not restarted your tomcat. As such it’s still using the old key store with your old certificate
Andrei