Hi Lupu. The issue is related.
I had no issues with mail subdomain (especially after workaround described here). Only with webmail subdomain.
The workaround is to revert webmail DNS A record to primary IP, reissue certificates for mail. and add both IP’s to domain’s SPF record like so:
"v=spf1 a mx ip4:0.0.0.1 ip4:0.0.0.2 -all"
I see this as roundcube web server problem, and not the letsencrypt problem.
Roundcube should handle and listen webmail.example.com even if IP addres is changed, and currently it is not.
This is important for me, because with dedicaded IP for domain (and mail server) I can set up rDNS and get much better antispam score.