This PR adds a new deploy hook for FortiGate firewalls. It:

• Uploads the server and CA certificate to FortiGate via API.
• Sets the uploaded certificate as the active web GUI certificate.
• Removes previously deployed certificate (name stored in acme domain conf).
• Does not remove CA certificates (in case of external dependencies).

Why is this needed?

FortiGate's native ACME integration:

• Does not support wildcard certificates.
• Does not work with custom management ports (e.g., DNAT web traffic).
• Does not support domain validation.

Usage

acme.sh --deploy -d example.com --deploy-hook fortigate --insecure

--insecure required in case of invalid pre-existing certificate

API Requirements

Create a REST API admin with an admin profile assigned the following permissions:

• System → Configuration [Read/Write] (for setting the active GUI certificate)
• VPN → [Read/Write] (for uploading and removing certificates)

Virtual Domains (VDOMs) Considerations

If using Virtual Domains (VDOMs):

• Set "Scope" to "global" in the admin profile.
• Be aware that the certificate will be visible to all VDOMs.

Tested On:

• FortiGate 61F v7.4.7 (without VDOMs)
• FortiGate 100F v7.4.6 (with VDOMs)