Let's Encrypt wants to restrict itself to issuing certificates for hostnames. The CA is very well aware that DNS labels can contain underscores; the ACME DNS-01 verification method specifically requires underscores in DNS names used for verification of domain control and so Let's Encrypt regularly requires that people requesting certificates create DNS RRs beginning with underscores for this purpose. However, Let's Encrypt is only willing to issue certificates for subject names that are hostnames.
3 Likes