Probably the easiest way to get a free certificate would be to install Certbot on your VPS, create the certificate on the VPS, and then manually import the certificate into Plesk.
No, you'd need to validate the SSL certificate each time it renews. Let's Encrypt issues 90 day certificates, and Plesk renews them automatically every 60 days.
You don't have to use our DNS. You can use Cloudflare or any other DNS providers that you want to.