It seems like this (and the other includes) might be the key to your problem, along with the difference between /opt/tomcat/apache2/htdocs and /opt/tomcat/apache-tomcat/webapps/ROOT, as you point out.
I'd recommend trying the Apache plugin for certbot: certbot --apache.