Thanks WST16:
>>when you do it manually the connection is initiated from the DiskStation, so it overcomes the firewall restrictions
I assumed that the DiskStation always tries to initiate the renewal after say 60 days rather than the Let's Encrypt server, which simply sends out the renewal reminder after 60 days. Or could it be that accessing the certificate, as part of say a VPN process, 'says' to the the DiskStation 'time to renew'? If the DiskStation initiates renewal, then a log should be full of 'tried to renew but failed' type error messages. I have not found any such messages, unless they are error code numbers. I did find logs of when I renewed manually. That suggests that the problem may be the trigger for renewal not coming in from the Let's Encrypt server, wherever that is located, and hence incoming ports rater than outgoing ports. (I hope that makes sense, even if my thoughts may be quite wrong!)