Let me throw in my ignorance and muddy the waters. As I understand, per Synology postings, ports 80/443 are required when creating LE certs for non-Synology domains.My response was triggered by the whole port 80/443 discussion. It gave the impression that those ports would be involved in the verification processes when creating a wildcard certificate; they are not.
That said, yes, I was attempting to create a wildcard cert for a Synology domain, however at the same time, I had a non-Synology SAN going along for the ride. My understanding then was to keep 80/443 open when creating a new cert.
As far as LE cert renewals go, if the LE cert is purely Synology, no open ports are required. However, where other non-Synology domains are involved, opening port 80 (or 443) for renewal is mandatory.