wow, this was rookie mistake i guess.
this was a port fwd problem apparently. i had 80>5000 and 443>5001 setup only, which allowed me to log in remotely to my nas just fine, i thought that should allow lets encrypt to communicate to get the cert. i’m not sure why it had no problem connecting for the ddns cert.
when i changed rules to 80>80, 443>443, 5000>5000, and 5001>5001, it pulled the paid domain cert just fine. i do have redirect to hppts set in the nas.
after getting it setup, i went back to only having 443>5001, and it seems to be functioning fine. will leaving at this setting prevent the cert from renewing? which of the above rules is the one i have to leave on indefinitely?
also, as an FYI for others, i’m not sure why there are so many posts saying you have to have a paid registered domain that cnames to your free sysnology ddns name, it seems to me that both lests encrypt certs function the same, and the synology cert and address work ok. thanks for the exercise.