I walked through the menus to find the Control Panel, Security, and Certificates tab. Once I walked through adding/replacing a cert, I receive this error:
For clarity, this is what it says:
Get a Certificate from Let's Encrypt
Failed to connect to Let's Encrypt. Please make sure your DiskStation and router have port 80
open to Let's Encrypt domain validation from the Internet. All the other communications with
Let's Encrypt go over HTTPS to keep your DiskStation secure.
I originally was thinking my router, an Asus AC68U, wasn't capable of forwarding port 80 because it uses that port for the web interface. Turns out that later software updates fixed this issue and is now able to pass the traffic from outside:80->Synology:80. All good.
I made sure Web Station was running. And it still failed.
Turns out, I think the biggest issue was that even though the screen suggests you should just use your top TLD, you really need to put in your full FQDN in both the domain name and the alternative subject name fields.
Then the wizard worked like a charm.