Want to provide a little hint to you guys if you are using a Synology, and want to get a Lets-encrypt certificate despite having another server as your "main" server:
prerequistes:
You need to have a HTTP-server that can forward requests internally (reverse proxy, for example Apache2)
You need to have a DNS with so called "Split horizon view" or "scripting" (for example, PowerDNS)
Your main server CANNOT use the HTTP-01 challenge (but need to use the DNS-01, because otherwise it will conflict, as the server cannot know if the challenge response should be directed to the NAS or not)
Lets assume your NAS has IP 192.168.1.5 and your public IP (WAN IP) is 123.123.123.123, and your NAS is at nas.example.org
First, you need to forward all requests for letsencrypt into synology:
In apache config (or the corresponding config snippet for your HTTP server), for the :80 virtualhost, add the following:
ProxyPass /.well-known/acme-challenge/ http://192.168.1.5/.well-known/acme-challenge/
ProxyPassReverse /.well-known/acme-challenge/ http://192.168.1.5/.well-known/acme-challenge/
After that, you need to enable scripting, or split horizon in your authoritive DNS server (enable-lua-records=yes), and add the following record (or the corresponding for your DNS server software):
nas.example.org 3600 IN LUA A "view({{{'192.168.0.0/16'}, {'192.168.1.5'}}, {{'0.0.0.0/0'}, {'123.123.123.123'}}})"
This causes PowerDNS to respond "192.168.1.5" for nas.example.org when a client inside your network (192.168.0.0/16) asks, but responds with your public IP if Lets Encrypt ask for the purposes of validation.
After that, just go into DSM settings, create lets encrypt certificate, and voilá, done. No problems at all. Now your "Secure Sign In" will work flawlessly.