Authorizations for these names not found or expired

I’ve been trying to get a certificate using a certificate signing request I’ve generated myself because I’ve been using public key pinning and want to keep the same key pair.

I ran into this issue where the csr had to be in der format and I’ve fixed that but now when I run the client

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --csr /home/michael/ssl/csr.der

I get an error message

Error: unauthorized :: The client lacks sufficient authorization :: Error creating new cert :: Authorizations for these names not found or expired: xo.tc

I’ve picked the ‘Automatically use a temporary webserver’ option and I can see it comes up with 200 when the well-known page is requested. I’ve seen other issues that look similar that are 'Name is not whitelisted’
but this is ‘Authorizations for these names not found or expired’ and I’ve checked the two domains names (xo.tc and www.xo.tc) are in the Closed Beta Invite email.

It fails when I run it with Apache as well. I can post the logs from /var/log/letsencrypt if they will be of use.

I’ve figured out the issue (or at least what it was in my case).

In the csr I had the Subject as the root domain CN=xo.tc and in the Subject Alternative Name I just had the subdomain DNS:www.xo.tc but you need both names in the Subject Alternative Name section so in my case DNS:www.xo.tc, DNS:xo.tc

I’m not sure if this is a bug (and I should open an issue on GitHub?) or if I’ve being doing my Certificate Signing Requests wrong all along and previous CAs have just been forgiving of poorly formatted CSRs.

EDIT to add: Also, it works on the test server with the CSR that only has one name in the SAN section (and gets a cert that’s valid for both) but doesn’t work on production.