How Let's Encrypt extension renews certificates?
Let's Encrypt extension has
keep-secured.php task in Tools & Settings > Scheduled Tasks. This task runs hourly and renewes certificate which are soon to be expired and which failed to be renewed based on SANS. It means that if main domain is secured, but webmail or www domain failed to be secured task will not try to renew certificate for webmail and www domain automatically and will not produce any errors in logs because successfully secured domain name has already been added into SANS.
It will try to renew all domain names which should be secured if Keep Secured option is enabled in Service Plans > plan_name > Additional Services or in Domains > example.com > SSL it!.
If both Let's Encrypt and SSL It! extensions are installed in this case:
/opt/psa/admin/plib/modules/sslit/scripts/keep-secured.phpis responsible for auto-renew of domains'certificates
/opt/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.phpis responsible for auto-renew of Plesk panel certificate (that is managed in Tools & Settings > SSL/TLS Certificates)