The “Requested Extensions” X509v3 Basic Constraints
and X509v3 Key Usage
are not used. (Actually, only the CN and SAN fields are used.) So you might want to try to minimise the extras in the CSR.
Also, try to explicitely set the Version
field to something else than “0” (default for OpenSSL <1.0.2). Version fields of zero generate an error on staging server (and live from January 2017). (See “Rejection of malformed CSRs”).
I’m sure one of those (probably the latter) will fix the problem.