I can login to a root shell on my machine (yes or no, or I don't know): No
I just started with Let's Encrypt and the only way I can use is it is through the automatic cert creator built into the FortiOS of a Fortigate 60E firewall device. I'm a freelance IT support contractor who doesn't have access to the website domain itself.
When I attempted to create the certificate using the ACME client that is provided as part of the Fortigate device, it said the certificate failed. When I tried again, it said my domain was already in use. I'm not sure what to do. Should I separate from the Fortigate device and try to recreate the cert in Certbot?
That domain is setup in Cloudflare CDN. There is an HTTPS connection between the client (browser, ...) and the Cloudflare Edge. The Edge usually obtains its own cert for this purpose. This is probably the cause of your "domain in use" error. There is another HTTPS connection between the Edge and your Origin server. I am not sure where Fortigate is involved in your config but I'm guessing between the Edge and your origin server?
Cloudflare offers Origin CA certs for use in Origin servers. That may be simpler and easier than creating a Let's Encrypt cert for that purpose. I do not know how to setup one of those with Fortigate but perhaps the Fortigate forum could advise or perhaps another volunteer here might. https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/
Yeah, as far as I know, your guess is right. The Fortigate is at the gateway of my client's corporate network but the website is externally hosted, so the firewall device would be between them. So I should just go to Cloudflare?
If the IP returned by the FQDN is managed by CloudFlare, then you would have trouble obtaining the cert anywhere behind CloudFlare. Not to say that it is impossible, it's just not straightforward/simple.
That said, then you would have to terminate the HTTP request at the firewall for that (secondary) IP.
[which is not common practice - the FW isn't normally run as a reverse proxy]
Soooo, you definitely need to speak with both CloudFlare and Fortinet about their recommendations/best practices (first).
So you'd have to serve your challenge on either port 80 or 443 depending on the cloudflare ssl settings (flexible or strict) and it can be hard to know which port beforehand (both individually, no redirects?)