With this we’ve confirmed that your LE is setup correctly for https (your main ask in the thread title).
If you don’t need remote access, remove the forwards on the router or disable them for now.
Your easiest option to use https internally is to tell the browser to “trust” the site (your DSM web interface for now) when using the IP address. That doesn’t degrade the security. It’ll still be https traffic.
FYI seems to be normal that the certificate is issued by R3, according to Let's Encrypt:Well looks like I made a mistake early on by thinking you have forwarded the ports already. Guess that works now but am I do understand that you want https access only inside lan and not over the internet? If so you can just close the ports right now (apart from 80 for LE renewal), and listen to @WST16 advice regarding dns or ignoring https warnings.
UPDATE: @WST16 we will have to coordinate these responses
Root Certificates Our roots are kept safely offline. We issue end-entity certificates to subscribers from the intermediates in the next section. For additional compatibility as we submit our new Root X2 to various root programs, we have also cross-signed it from Root X1. Active ISRG Root X1...