This information might be useful for you guys:
Excerpt from the official Synology Support:
The Let’s Encrypt built-in Synology supports TLS-SNI-01, HTTP-01 and DNS-01 validation.
Although TLS-SNI-01 validation is reaching end-of-life, the Synology Let’s Encrypt will not be affected.
If you have enabled Synology DDNS and use the name to apply for the certificate, the process will go through HTTP-01 validation first.
Once Synology DDNS server is not ready, or there is any failure during HTTP-01 validation, the process will fall back to DNS-01 validation.
For non-Synology name service, it uses HTTP-01 which requires port 80 accessibility.
Thus, we suggest you keep port 80 open for validation if you do not use Synology DDNS name to apply the certificate.