The “Requested Extensions” X509v3 Basic Constraints and X509v3 Key Usage are not used. (Actually, only the CN and SAN fields are used.) So you might want to try to minimise the extras in the CSR.
Also, try to explicitely set the Version field to something else than “0” (default for OpenSSL <1.0.2). Version fields of zero generate an error on staging server (and live from January 2017). (See “Rejection of malformed CSRs”).
I’m sure one of those (probably the latter) will fix the problem.