I believe Let's Encrypt uses the first SAN entry as CN. They did change this behaviour some time ago though, but I thought they reversed that decision? In a post on the Certbot Github repo @jsha said:
Update on the community thread: at Let's Encrypt we're going back to the old behavior for now (first SAN from CSR promoted to Subject CN instead of alphabetically-first SAN). But we still plan to push towards no-Subject-CN issuance for almost everyone, and eventually for everyone.
Maybe LE changed something again?