Note to self: If the Let's Encrypt extension for Plesk fails to renew a certificate (when triggered manually), disable the automatic forwarding to an SSL connection in the Apache settings. This forced secure connection seems to disturb the renewal script.
The error I got was something like this:
Let's Encrypt SSL certificate installation failed: Failed letsencrypt execution: 2016-01-19 13:56:07,885:WARNING:letsencrypt.cli:Root (sudo) is required to run most of letsencrypt functionality. Failed authorization procedure. removed.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://removed.domain.com/.well-known/acme-challenge/ REMOVED-ID [REMOVED IP]: 401 IMPORTANT NOTES: - The following errors were reported by the server: Domain: removed.domain.com Type: urn:acme:error:unauthorized Detail: Invalid response from http://removed.domain.com /.well-known/acme-challenge/ REMOVED-ID [REMOVED IP]: 401
See also this bug report on Github.
Let's hope the extension is going to renew all certificates automatically every month from now on, as it should.