Hi,
I run a Synology NAS for family use and so don’t really want port 80 and/or 443 permanently open.
Is it possible to use port triggering so that when my Synology NAS tries to renew the certificate, the router will open port 80/443 and close it after?
Port triggering doesn’t seem like it’s going to help, unless you can get the Synology software to make an outbound connection on the trigger port, right before it performs renewal.
What you might be able to do is to identify what times of day your device tries to perform its renewals, and setup a scheduled task (cron) to open and close the ports.
A good solution would be to use the DNS-01 challenge. Your DNS provider will need an API that can be called programmatically. This list of DNS providers should point you in the right direction. I recently had success on a Synology NAS using acme.sh and following this guide. I recommend testing issuance against the staging environment.