So just out of curiosity, I just checked my log and it seems to confirm what chente said.... from the looks of the log, certbot automatically runs at certain intervals, so if certs meet the renewal criteria, they are renewed. It looks like this is handled with a cron script inside the container.
Code
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for my-domain.xyz will be requested
E-mail address entered: my-email@aol.com
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).