Often times, situations like this are for an explicit purpose.
Error codes like that can usually be found in the Boulder source if you search for the string after :::
Git blame shows this line was from a PR a few days ago: Reject all CSRs with an IP in the CN (#8282) · letsencrypt/boulder@a1a7a7f · GitHub
Here is the commit message:
Reject all CSRs with an IP in the CN (#8282)
Although #8231 fixed
csr.CNFromCSR to ignore Common Names that are valid IPs, that didn't
fully solve our issue: identifier.FromCSR still extracts the CN and
assumes that it is a dnsName, leading to a mismatch between the CSR's
identifiers and the Order's identifiers.
Instead, let's outright reject all CSRs which carry an IP in their
Subject Common Name. Although this doesn't have the elegance of
rejecting such CNs on a profile-by-profile basis, it matches our ongoing
effort to do away with CNs entirely.