Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:jjk-ai.us
I ran this command:certbot certonly --webroot --force-renewal --agree-tos --register-unsafely-without-email -n -w /home/random/apache-tomcat-7.0.96/webapps/ -d jjk-ai.us
It produced this output: It produced a valid certificate which was then installed into my Tomcat server. This can be verified with any SSL check.
My web server is (include version):tomcat 7.0.96
The operating system my web server runs on is (include version):ubuntu 18.04
My hosting provider, if applicable, is:digitalocean
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.11.0
Let's Encrypt will always issue certs with a "valid-from" time one hour before they were issued. You may have gotten a cert today (edit: no, actually, you didn't; the last cert issued for your domain was on 27 Aug, the date on the cert you're serving), but the cert your site is serving was issued a couple of weeks ago. What's the output of certbot certificates?
Edit:
Do not use that option, and burn whatever guide told you to do so.
Certbot's intended usage is to have it run regularly (like twice a day), where it checks if the certificate needs to be renewed (not only by figuring out if the current time is close enough to the expiration of the certificate, but by checking if the certificate is revoked by the CA). So most of the time when it runs, it does nothing, and every couple of months it does the renewal instead. Trying to force renewal and running it only sporadically can work, but it likely making things harder on yourself.
What exactly is your question? It looks like you have a working certificate setup.
I did not mention something that might be relevant. When the certificate is returned from let'sencrypt it is moved into a jks keystore which is where my Tomcat server wants it. The September 9th "creation" date is what the key store displays. The command script that requested the certificate and moved it to the key store was run under a cron tab on September 9th. No certificate was requested on August 26th. In fact the crontab command script was run only about 70 days earlier. I don't know why the certificate that was requested and obtained on September 9th has a valid from date of August 26th.
The Sep9 date is just when your script touched the jks keystore. It is not related to the actual issuance of certs. The public Certificate Transparency logs shows you got these (see https://crt.sh). Note also these are issued every 60 days as is usual for Certbot standard auto-renew setup.
Uploading the same Aug27 issued cert multiple times to your jks store does not affect the duration of the cert itself.
What is triggering these 60 day interval updates?
My certbot certonly request was made on September 9th, an the previous request was about 73 days earlier.
Certbot itself determines if a certificate needs to be renewed or not. (When not using --force-renewal that is...) That's why the recommendation is to run certbot renew twice a day. Because the application itself checks the expiry date and subtracts 30 days from it. Which is 90-30=60 for Let's Encrypt certificates.
BTW, I am using the same 73-day crontab technique on some other domains and the certificates I receive have 89 days left until expiration when I receive them.
