Fake LE Intermediate and Root X1


Why I got a "Fake LE Intermediate and Root X1” certificate?
What mistakes did I make?
Below is my code.
Thank you!

PS C:\Users\Administrator> openssl genrsa -out account.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)

e is 65537 (0x010001)
PS C:\Users\Administrator> openssl genrsa -out mydomain.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
e is 65537 (0x010001)
PS C:\Users\Administrator> openssl req -new -sha256 -key mydomain.key -out mydomain.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) :New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:FriendlyCool Co.
Organizational Unit Name (eg, section) :Friendly Department
Common Name (e.g. server FQDN or YOUR name) :www.friendly.cool
Email Address :xxxxxxx@gmail.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password :***********
An optional company name :All Friends Co.
PS C:\Users\Administrator> le64 -key account.key -csr mydomain.csr -csr-key mydomain.key -crt mydomain.crt -domains “www.friendly.cool” -path “C:\inetpub\henrywebroot\.well-known\acme-challenge” -generate-missing -handle-as dns -live
2019/06/27 19:12:54 [ ZeroSSL Crypt::LE client v0.32 started. ]
2019/06/27 19:12:54 Loading an account key from account.key
2019/06/27 19:12:54 Loading a CSR from mydomain.csr
2019/06/27 19:12:56 Registering the account key
2019/06/27 19:12:56 The key has been successfully registered. ID: 9764010
2019/06/27 19:12:56 Make sure to check TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2019/06/27 19:12:56 Successfully saved a challenge file ‘C:\inetpub\henrywebroot\.well-known\acme-challenge/BcCHXnxYNjKfFSS2hFqEbSdvnPnmXBxVZV4gbOGLLiI’ for domain ‘www.friendly.cool’
2019/06/27 19:12:59 Domain verification results for ‘www.friendly.cool’: success.
2019/06/27 19:12:59 You can now delete the ‘C:\inetpub\henrywebroot\.well-known\acme-challenge/BcCHXnxYNjKfFSS2hFqEbSdvnPnmXBxVZV4gbOGLLiI’ file.
2019/06/27 19:12:59 Requesting domain certificate.
2019/06/27 19:13:00 Requesting issuer’s certificate.
2019/06/27 19:13:00 Saving the full certificate chain to mydomain.crt.
2019/06/27 19:13:00 ===> NOTE: You have been using the test server for this certificate. To issue a valid trusted certificate add --live option.
2019/06/27 19:13:00 The job is done, enjoy your certificate! For feedback and bug reports contact us at [ https://ZeroSSL.com | https://Do-Know.com ]
PS C:\Users\Administrator> openssl pkcs12 -export -out mycert.pfx -inkey mydomain.key -in mydomain.crt
Enter Export Password:
Verifying - Enter Export Password:
PS C:\Users\Administrator>

To issue production certificates, it seems you have to pass --live with two hyphens, not -live with only one.

However, the CT logs also show that two productions certificates for friendly.cool and www.friendly.cool have been issued today, and one for only www.friendly.cool. Do you know where they went? Let's Encrypt has rate limits, though you haven't reached them yet.

1 Like


Sorry for making multiple runs. This is my first time ever creating SSL certificate.
I have always been using -live with one dash. So the two production certificates somehow got created with the one dash. But those two production certificates were created without first creating csr file. So I had to re-create the certificate. May I know how many more times can I re-create the certificate? This time I will use two dashes --live.


Usually up to five times within a brief period of time:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.