@xyzzy, I’m sorry to say that the other problem is still fatal here. There is no way in the protocols that Let’s Encrypt currently uses to ignore SANs. If any SAN is incompatible with LE’s issuance policy, the certificate can’t be issued; the protocol doesn’t have a way to say “I don’t care about these” or “don’t validate these” or “don’t issue for these”.