There are options by leaving specific code in the dns info of your domainname. But they are not supported by the synology implementation. (Only for the synology ddns names).

I think instructions for adding the code are once given in this forum. But it requires copying certificates yourself for every renewal Than it is just the same work to temporarely open ports.

You may leave port 80 open and add two rules in the firewall to accept only IPs from LE : 64.78.149.164 and 66.133.109.36

If I'm not mistaken and you do not run Web Station (which is not a prerequisite for Let's Encrypt update process) and only use it for DSM SSL certificates ports will be open but there will be no listener on port 80 and 443 until the LE script is actually being executed, so any requests outside that window will basically experience a time out.

Ps. I would opt for OpenVPN if you want to securely connect to your NAS -- or any other device for that matter -- on your home network, no Let's Encrypt required.

When that pops up I open port 80 and use the renewal button on the NAS Control Panel>Security.

But the default synology port is 5000 (HTTP) and 5001(HTTPS). Did you forward 80 and 443 to 5000 and 5001 respectively on your router?

Managing SSL certs is the bane of my existance. I was also caught out by this unwelcome requirement to expose ports and happen not to be able to workaround it at the moment. So I came up with an alternative. This is heavily inspired by this article.

Note these instructions for the manual DNS method. For the automatic method, which requires that you DNS provider has a compatible API, see the article above or the official references here.

First ssh into the NAS. Any user will do but I think they must be part of the Administrators and HTTP groups. Then run the following, replacing the "your..." placeholders with your own details:

curl https://get.acme.sh | sh -s email=your@email.address --install --force # force to allow install without crontab
cd .acme.sh
./acme.sh --issue -d your.domain.name --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Add the TXT record to your DNS records exactly as instructed, make sure it has propogated (eg, try running `dig -t txt _acme-challenge.your.domain.name`), and then run:

./acme.sh --renew -d your.domain.name --yes-I-know-dns-manual-mode-enough-go-ahead-please
export SYNO_Username="your_nas_username"
./acme.sh --deploy -d your.domain.name --deploy-hook synology_dsm

When prompted for the "OTP code" just enter the Synology account password (unless you have 2FA setup, and then I guess do something else?).

Finally, delete the existing "your.domain.name" entry in DSM-->Control Panel-->Security-->Certificate and configure the new one that appears instead.

From then on you should just be able to renew with `./acme.sh --renew -d your.domain.name --server letsencrypt`

Thank you so much for this! My ISP recently replaced my router with a fancy new one ... which unfortunately natively blocks port 80. I noticed that only when the renewal of my certificate failed, and after a lot of reading I found your post and was able to generate and install a new certificate. 

I use 2FA, so I added 

export SYNO_Password="your_nas_password"

between the SYNO_Username and deploy instructions, and the deploy script asked me my OTP code.

Alas, I don't think that your last line applies, since the official documentation reads:

Take care, this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.

Did you manage to find a solution, or do you change the DNS TXT record manually each time?

PS: you might want to obfuscate your "true" domain name in your post above!

Thanks for the obfuscation tip!

Yes, I think the last couple of times I've had to change the TXT record to renew.