The Automated Certificate Management Environment (ACME), as defined in RFC 8555, is used by the public Let's Encrypt certificate authority (https://letsencrypt.org) to provide free SSL server certificates. The FortiGate can be configured to use certificates that are managed by Let's Encrypt, and other certificate management services, that use the ACME protocol.

Detailed steps to generate a certificate using ACME and Let’s Encrypt can be found in the following document:

Automatically provision a certificate - FortiGate 7.4.8 administration guide.

When generating an ACME certificate on a FortiGate HA cluster, the configuration may become out-of-sync due to discrepancies in the 'config system acme' section between the primary and secondary units.

By comparing the configuration on each unit, the following difference will be observed:

Primary unit:

gzhongFGT-fgt-a (acme) # sh
config system acme
    set interface "port1"
    config accounts
       edit "ACME-.letsencrypt.org-0000"
           set status "valid"
           set ca_url "https://acme-v02.api.letsencrypt.org/directory"
       next
    end
end

Secondary unit:

gzhongFGT-fgt-b (acme) # sh
config system acme
   set interface "port1"
end

Manually fixing the configuration difference by adding the config under 'config accounts' is not possible due to the following error. The key reason is the email ID is missing under the ACME account information, which makes the secondary unit unable to accept the configuration synchronized from primary. 

gzhongFGT-fgt-b (acme) # sh
config system acme
    set interface "port1"
end

gzhongFGT-fgt-b (acme) # config accounts

gzhongFGT-fgt-b (accounts) # edit "ACME-.letsencrypt.org-0000"
new entry 'ACME-.letsencrypt.org-0000' added

gzhongFGT-fgt-b (ACME-.letsencryp~000) # set status "valid"

gzhongFGT-fgt-b (ACME-.letsencryp~000) # set ca_url "https://acme-v02.api.letsencrypt.org/directory"

gzhongFGT-fgt-b (ACME-.letsencryp~000) # next
Attribute 'url' MUST be set.
Command fail. Return code 1

gzhongFGT-fgt-b (accounts) # end

gzhongFGT-fgt-b (acme) # end

This is a known issue (Engineering ID: 1170282) affecting FortiOS 7.4.7 and 7.4.8. It is documented in the release notes and is scheduled for resolution in v7.4.9:

FortiOS 7.4.8 known issues.

FortiOS 7.4.7 known issues.

Below steps can be taken on the primary unit as a workaround to manually add the missing email ID back to the ACME account information, which can fix this issue:

Step 1: Retrieve ACME Account Details from primary:

Run the following command on the primary unit to display account details, including the private key:

get system acme acc-details

It is clear to see that the email ID is missing. 

Example output:

gzhongFGT-fgt-a # get system acme acc-details
== [ ACME-.letsencrypt.org-0000 ]
ACME CA URL: https://acme-v02.api.letsencrypt.org/directory
Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/123456789
Status: valid
Email:
Private Key: -----BEGIN PRIVATE KEY-----
MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQCOfQ+P7xMc0t6u
GvZeoPqM4NaWZIba3Z9fkMSKE7GQeHQIAOQj+Wjrfatf7fuIuAXvVknmf+WbeckL
CecKtYl6Nv/7FSINTBJB49nEcRKSAdbC7ilnzLhiDE69xPN14uIie0F6fGzjXeCc
Pvtv3iD90qa9VdlbqDdZyh0+MiFXrwCAV5UUk8aBJc58VB1/6hB2T5Yze4o6wn0S
nPur/VuWMyc50xwrJ4BS/RkxsqbPf3aMJo5AK/jb77PiuOxKUo6NodguvbFkVPqB
9FxvMJD7bGS67gjWDHqlqLiDmQrMYzdFDvMNXxaxoRNugtNXVsl6wQUGVleOQ3uG
kzvdDaGS9wqmMZ52+q4/j3yQmMX7nI+Ucer2qcb8GLV76E60XakCAwEAAQKCAYAK
mYCNHUSPdhtVGdHeh7yjur0T2n4SrX5j2k3YlK72l5NQHhralzzoGcTkIby+tqvQ
WlusfzKqLnTXcqDikc8cjZdcyv1pvlE0YBoMzDmMrYDXpuZjH55OwuofoVVYHWzj
kkY0cama/1qMXP4Q3BYZs7AuMQL2l8yoTAoBXLLQxka0BW/kZDrV1CVoZ8x6/cNE
PdbnVQcbKGkr8nJSoQR5K8gr57RZX34rfrpTNtX2njLVvf75yuBPvFLFJ6ffL+nN
JswoiLKJIrjNClUlrH18GFdLG3Bh7TnZ4s51idoYRJoxWf/H1qLLFlY5TrC/PvPc
gfF4qoQeP62WZaxuIc9pvgw6jqbBHNdeIjoCHnKkePbfCaG3+gXIkl2OlYHPe6D3
Xd3XSUxkYsXmF6VsUseIeqCBBbVSpW0wERnd6EMfj5H321RLQ/yYLTA7cXvg5H+k
cuPVsoYY78p3o1brY+hOP869WldhMHinr74mlVD/uldrvIO7udH66BcUpCsqhAEC
gcEAwfwKBZgfBdhLBrHeZ2hWjum+ZmacjQvrT9J5icIPMCiI9eEbkcuNUlWztrRE
/AqwtVa1KiBiopLtFbhyi1D52ySB9uZGJmya1TPKOG2zXIbLYOXrUKqvCp/Hexvi
bAqHid7jlCMQ7HuXB8pLbePq0x6eGhfkoo7JdAokyvl212IRasCsnJpERtalnaav
J8IQn99qRwBqAlwbcX9MN5C6jLMffcU4XFAS6EmugE0fUz5wqT0K6Vbu/FhWC1qD
K2upAoHBALwKhHDNfG9Ja/V9gpgtufCiQ1B2WD5UInYa+fafsVmBze24XGvTTTfO
o+ZhxSDZB3cDvsNOCUgGu94mYRlPL+H4IiNcFq8YGltz8iF7NNrKmWTokEM05hHW
3iNEpK6KKqSfOX06+79R5cMLx8gDawfUva46gnAt+jWiaew1MNp9Zf9qMIM2HrFS
wAN35U+8mgjJWy3nNTzvN631R8JuGPC0NkqdzHU6XIfPfrrgWvmirZWvHtC2Au1h
4apu5yiiAQKBwAcQugC4KLEazqjAw7v6deSgqNmr9RnCDGEM5nZZBhqX710dRNbL
lisgifommLihXwxLyy9snIsVVONMo4dlfKQ5sS4f9wAhRoZra3sgq767/h5aYXa/
sL5vUWGvg1CyFXu1DY7wtAYY/kg/Wv32pi/oVpPWuPIex0GduPdXnLd9j+rWd7MA
f2ohGUkjsA9/pwFbrtBFOJc7aZh5rXn8oH7Na2E2VLYwCHBDdsKfjHuIs6vGWGZl
TzELup6RPmPPeQKBwHHEnzqsaGPgdSvzAudVixEW60ksQNl9B9iTG7bmCWQRD+mK
yIgIMMjaAfnqH11vUX/lSS5a8Wydfl66s7afXWYHPYhNOAA5wgCg1tcA9wqE12fg
+R9gSu5yJLYL2uMq/v/YweyNmjC3uR5X60iNIN19DkHybma2upJmsFVUHTmj8ukk
czN/s/QvD7NJf/jNMBiu0rakE2bJiNN7+i2ddQN01QAyFri6Va9pj9A622/7x7Av
YqJ97Kl4thLqxHqmAQKBwGe/anNYoGU5XEPO3vC/195Is2SEDjFGm2Juzq4fa7sr
leW1LfW2KFAQrdOzwJGbHQ1H+XpQQImxcpxRyTuumtlk2nYMymtlw0pe2MUN72lG
0V5FgiyHWCpHjKXHJLaksUkOTt2zd10tbJzVrTZJTUbsnrDTy9Lo9Izj1kVI8gnH
D6X3a1U4vkTDSuhKM1wFDrRKnCApaRU+9oYJNmm7w/OEg3U+pRmxuF/V0dNHUS8o
v3eaxKhMpL5En3L/KrX1eA==
-----END PRIVATE KEY-----

Step 2: Find the missing Email ID from the ACME certificate. It is the email ID filled in the GUI when generating the ACME certificate and can be found under 'config vpn certificate local' as below:

config vpn certificate local
  edit "ACME_CERT"
    set comments "<>"
    set enroll-protocol acme2
    set acme-domain "acme.test.com"
    set acme-email "xxxx@gmail.com" <---
  next
end

Step 3: Manually add ACME Account information that includes the missing email ID by CLI command on the primary unit:

Execute the following command with the information filled. Email ID is from step 2. All other information including the private key is from the output of step 1. 

diagnose sys acme add-account "ACME-.letsencrypt.org-0000" <Account URL> <ACME CA URL> "valid" <email ID> <private key>

Note on private key input:

When pasting the multi-line private key:

1. Start with a double quote (").

2. Press Enter, then paste the key contents start with -----BEGIN PRIVATE KEY-----.

3. Add the ending double quote (") after -----END PRIVATE KEY-----.

4. Press Enter to complete.

See the following example:

diagnose sys acme add-account "ACME-.letsencrypt.org-0000" "https://acme-v02.api.letsencrypt.org/acme/acct/2569385621" "https://acme-v02.api.letsencrypt.org/directory" "valid" "xxxx@gmail.com" "
> -----BEGIN PRIVATE KEY-----
> MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQCOfQ+P7xMc0t6u
> GvZeoPqM4NaWZIba3Z9fkMSKE7GQeHQIAOQj+Wjrfatf7fuIuAXvVknmf+WbeckL
> CecKtYl6Nv/7FSINTBJB49nEcRKSAdbC7ilnzLhiDE69xPN14uIie0F6fGzjXeCc
> Pvtv3iD90qa9VdlbqDdZyh0+MiFXrwCAV5UUk8aBJc58VB1/6hB2T5Yze4o6wn0S
> WGo7YWy+yF7RHXVZ4DvO8z5kYa2b81D7CsNM4VOQB3ulpwXi0cHGT51GTZ0hDN1s
> U9SttC/0zlWR/KifFq975YOWc9KUztGaUYzGtCPrzfQCbRdNfCl2NjGIvhTKLXsC
> nPur/VuWMyc50xwrJ4BS/RkxsqbPf3aMJo5AK/jb77PiuOxKUo6NodguvbFkVPqB
> 9FxvMJD7bGS67gjWDHqlqLiDmQrMYzdFDvMNXxaxoRNugtNXVsl6wQUGVleOQ3uG
> kzvdDaGS9wqmMZ52+q4/j3yQmMX7nI+Ucer2qcb8GLV76E60XakCAwEAAQKCAYAK
> mYCNHUSPdhtVGdHeh7yjur0T2n4SrX5j2k3YlK72l5NQHhralzzoGcTkIby+tqvQ
> WlusfzKqLnTXcqDikc8cjZdcyv1pvlE0YBoMzDmMrYDXpuZjH55OwuofoVVYHWzj
> kkY0cama/1qMXP4Q3BYZs7AuMQL2l8yoTAoBXLLQxka0BW/kZDrV1CVoZ8x6/cNE
> PdbnVQcbKGkr8nJSoQR5K8gr57RZX34rfrpTNtX2njLVvf75yuBPvFLFJ6ffL+nN
> JswoiLKJIrjNClUlrH18GFdLG3Bh7TnZ4s51idoYRJoxWf/H1qLLFlY5TrC/PvPc
> gfF4qoQeP62WZaxuIc9pvgw6jqbBHNdeIjoCHnKkePbfCaG3+gXIkl2OlYHPe6D3
> Xd3XSUxkYsXmF6VsUseIeqCBBbVSpW0wERnd6EMfj5H321RLQ/yYLTA7cXvg5H+k
> cuPVsoYY78p3o1brY+hOP869WldhMHinr74mlVD/uldrvIO7udH66BcUpCsqhAEC
> gcEAwfwKBZgfBdhLBrHeZ2hWjum+ZmacjQvrT9J5icIPMCiI9eEbkcuNUlWztrRE
> /AqwtVa1KiBiopLtFbhyi1D52ySB9uZGJmya1TPKOG2zXIbLYOXrUKqvCp/Hexvi
> bAqHid7jlCMQ7HuXB8pLbePq0x6eGhfkoo7JdAokyvl212IRasCsnJpERtalnaav
> J8IQn99qRwBqAlwbcX9MN5C6jLMffcU4XFAS6EmugE0fUz5wqT0K6Vbu/FhWC1qD
> K2upAoHBALwKhHDNfG9Ja/V9gpgtufCiQ1B2WD5UInYa+fafsVmBze24XGvTTTfO
> o+ZhxSDZB3cDvsNOCUgGu94mYRlPL+H4IiNcFq8YGltz8iF7NNrKmWTokEM05hHW
> 3iNEpK6KKqSfOX06+79R5cMLx8gDawfUva46gnAt+jWiaew1MNp9Zf9qMIM2HrFS
> wAN35U+8mgjJWy3nNTzvN631R8JuGPC0NkqdzHU6XIfPfrrgWvmirZWvHtC2Au1h
> 4apu5yiiAQKBwAcQugC4KLEazqjAw7v6deSgqNmr9RnCDGEM5nZZBhqX710dRNbL
> lisgifommLihXwxLyy9snIsVVONMo4dlfKQ5sS4f9wAhRoZra3sgq767/h5aYXa/
> sL5vUWGvg1CyFXu1DY7wtAYY/kg/Wv32pi/oVpPWuPIex0GduPdXnLd9j+rWd7MA
> f2ohGUkjsA9/pwFbrtBFOJc7aZh5rXn8oH7Na2E2VLYwCHBDdsKfjHuIs6vGWGZl
> TzELup6RPmPPeQKBwHHEnzqsaGPgdSvzAudVixEW60ksQNl9B9iTG7bmCWQRD+mK
> yIgIMMjaAfnqH11vUX/lSS5a8Wydfl66s7afXWYHPYhNOAA5wgCg1tcA9wqE12fg
> +R9gSu5yJLYL2uMq/v/YweyNmjC3uR5X60iNIN19DkHybma2upJmsFVUHTmj8ukk
> czN/s/QvD7NJf/jNMBiu0rakE2bJiNN7+i2ddQN01QAyFri6Va9pj9A622/7x7Av
> YqJ97Kl4thLqxHqmAQKBwGe/anNYoGU5XEPO3vC/195Is2SEDjFGm2Juzq4fa7sr
> leW1LfW2KFAQrdOzwJGbHQ1H+XpQQImxcpxRyTuumtlk2nYMymtlw0pe2MUN72lG
> 0V5FgiyHWCpHjKXHJLaksUkOTt2zd10tbJzVrTZJTUbsnrDTy9Lo9Izj1kVI8gnH
> D6X3a1U4vkTDSuhKM1wFDrRKnCApaRU+9oYJNmm7w/OEg3U+pRmxuF/V0dNHUS8o
> v3eaxKhMpL5En3L/KrX1eA==
> -----END PRIVATE KEY-----"
Warning! Manually adding erroneous account information can cause the ACME client to work improperly. Do you want to continue? (y/n)y

Step 4: Execute the command 'diagnose sys acme restart'.

After that, the missing email will be successfully added under the account information and the 'config system acme' section will be identical on both units. 

config system acme
    set interface "port1"
    config accounts
        edit "ACME-.letsencrypt.org-0000"

            set status "valid"

            set ca_url "https://acme-v02.api.letsencrypt.org/directory

            set email "xxxx@gmail.com"
        next
    end
end 

Related articles:

Technical Tip: ACME certificate provisioning on FortiGate HA cluster causes configuration sync issue... 

Troubleshooting Tip: HA out of sync issue due to 'vpn.certificate.local' object