When an EMS server is added to the FortiGate settings, the EMS needs to authorize the FortiGate before they can communicate properly. 
In the case, where an EMS server was already added to the FortiGate settings but the message 'Failed to verify the certificate for server 'server_name" with Error (-1@_get_capabilities:471)' appears, make sure FortiGate can communicate properly to the EMS server. 

Checking the FortiGate settings for EMS via CLI:

config endpoint-control fctems
  edit 1
    set status enable
    set name "HLZ1-EMS-01_Default"
    set server "10.68.243.30"
    set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api
  next

end

From the CLI, FortiGate cannot communicate with EMS server:

LAB-FGT (root) # execute ping 10.68.243.30
PING 10.68.243.30 (10.68.243.30): 56 data bytes

--- 10.68.243.30 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

LAB-FGT (root) #

Once the communication between EMS and FortiGate is restored, it is necessary to accept the certificate again.

When the FortiClient EMS is in the multi-tenancy mode, the configured IP/Domain name under the Fabric Connector in the FortiGate needs to be the FQDN address instead of the IP.

The format of the FQDN address needs to be the 'tenancy name' + 'EMS FQDN'. For example, to connect to the tenant site 'default' on the EMS FQDN 'somedomain.it', the FQDN to be configured on FortiGate needs to be 'default.somedomain.it' and FortiGate should also be able to resolve it.

To verify the connectivity, FortiGate needs to ping the FQDN 'default.somedomain.it' instead of the EMS FQDN 'somedomain.it' only. 

If the 'somedomain.it' is configured as an IP/Domain name by mistake, FortiGate will get this error as well.

Related article:

Technical Tip: FortiClient EMS with Multitenancy enabled