https://www.reddit.com/r/synology/comments/m5znr4/lets_encrypt_certificate_renewal_failing/

Alternatively — place cloudflare in front of your services. They will provide valid certificates, and shield you from abuse.

Edit: and if you don’t provide public services — don’t use LE in the first place. Generate your own certificate.

Turn port 80 and 443 from router's firewall.
Turn off Synology NAS DSM's firewall.
Make sure Syology NAS can pass through port 80 and 443.

Steps tested by Paul:
Control Panel => Connectivity => Securityu => Certificate
Add => Replace an existing certificate: pick correct domain name, next
Get a certificate from Let's Encrypt, next
Fill out "Domain Name" and "Email => click "Done"