Happy Hacker Fake CA - Revoke?


I’ve issued a certificate (manually) using the --test-cert flag, and got a certificate bearing the following information

Issuer: CN=happy hacker fake CA

As everything went smoothly, I requested another 5 certificates without the flag (I need 6 certificates). All of them bear the following information:

Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1

Now, obviously I can’t use the first certificate as I get an “invalid CA” message. I can’t also generate a new one, due to rate limit. I can’t also seem to revoke it either, so looks like I’m “locked in”.

I’m in dire need of the certificate. Is there anything that can be done about this?


No, there’s no way to bypass the certificates per domain rate limit. Revocation will not reset the count (because the rate limit’s purpose is not to limit “active certificates per domain”, but rather OCSP signing load). You will have to wait 7 days.

Note that you can request SAN certificates (certificates covering multiple domains) by passing multiple -d arguments to the client. You can include up to 100 domains (distinct domains or subdomains), and this will only count as one certificate for your rate limit. Just a hint for your next attempt.


Thank you very much for your quick answer. I understand.

I wasn’t aware of that. Isn’t there really anything that can be done? Will I have to wait 7 days?


There’s no way to reset the rate limit. Short of using a different domain you won’t be able to get another certificate for 7 days. Take a look at StartSSL (if you’re eligible) or WoSign if you need a free certificate right now.