Public CAs typically only allow a small number of EKU flags that are mentioned in the Certification Practice Statement (CPS), in Let’s Encrypt’s case that’s id-kp-serverAuth
and id-kp-clientAuth
.
CSRs are more or less a wishlist that gets “rewritten” based on what the CA supports (and is allowed to support).