LETS ENCRYPT questions about a unknown CRL status and 2 times one with POISON message

[ikkeben]

Example for @zEirEr Poralix but i think all or almost all LE domains has this.?

https://crt.sh/?q=poralix.com

You can see after MAy 2018 in that test you seee everytime 2 dates ( sometimes on same date to) for the same. with different ID so "always" first attempt failing?

crt.sh ID Logged At ⇧ Not Before Not After Issuer Name
1737135889 2019-08-03 2019-08-01 2019-10-30 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
1729927222 2019-08-01 2019-08-01 2019-10-30 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3

The first (id1729927222 2019-08-01) has message with

CT Precertificate Poison: critical
0000 - 05 00

All have:

X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE

All Have a Orange warning STatus CRL UNKNOWN?

Mechanism Provider Status Revocation Date Last Observed in CRL Last Checked (Error)
CRL The CA Unknown n/a

Meaning and is it possible to have those 3 things not so the Poison and the CRL unknown in Orange warning?

This is only for LE certs so why and is mabye something wrong or could be better?

 

[zEitEr]

Hello,

Thanks for your questions. Currently I have nothing to add as a comment yet. Probably somebody else has anything to say.

 

[ikkeben]

Hello,

Thanks for your questions. Currently I have nothing to add as a comment yet. Probably somebody else has anything to say.

I hope so someone knowing why LEts Encrypt has this since 04 /05 2018. ? ( thanks using your domain as example. )

EDIT:
ONE answer could be for the ORANGE warning:

CRL Distribution Points:
The CRL Distribution Points extension provides the location of the corresponding Certificate Revocation List (CRL) for the SSL certificate.

So there isn't a revocation yet, and ok for that.??

Some explanations you can find here i haven't enough knowledge to say is ok or not OK!
https://knowledge.digicert.com/solution/SO18140.html

So the ones with the warning text

POISON

in it, is why i started this topic!

LETSENCRYPT.ORG has this to why?
https://crt.sh/?q=letsencrypt.org in this ID https://crt.sh/?id=1674775931

CT Precertificate Poison: critical
0000 - 05 00

 

[ikkeben]

ANSWER from CT:

Hi. This isn't a warning or an error. It's part of CT.

See https://tools.ietf.org/html/rfc6962#section-3.1.