Welcome to the community @lemondrop9344
It would help just to clarify some things and cover background.
Your gjknas.com site is sending a self-signed cert that expired in Oct 2018
See here
I see no history of you ever having a Let's Encrypt cert
And no history of an LE cert for any other names shown in your self-signed cert
See here and here
I do not understand your concern with Carrier NAT. The IP for gjknas.com is readily accessible to the public. Can you explain your concerns?
I also do not understand your concerns about port forwarding and the like. I get normal responses from requests to gjknas.com from Apache
Going forward:
If your self-signed cert was satisfactory perhaps you just need to make a new one
You could also start using certs from Let's Encrypt. You cannot "renew" your self-signed cert with one from LE - you start fresh. Below is a recent page from Synology about doing that. If you have more specific questions about LE let us know.