Hopefully a Let’s Encrypt person will have some response to your first point, although just because something emits a warning doesn’t mean it’s necessarily a problem, that’s what we have errors for
On the second point, the deprecated CN, the situation is that X.509 is originally part of the X.500 series directory system. Now, the directory system is not very important, but the Internet adopted X.509 and some other things, and re-purposed bits of them. But the Internet isn’t a hierarchical directory system, so at first what people did was just write technical stuff in the Common Name field, which is really supposed to be a human readable name like “Let’s Encrypt” or “Joseph George Daniels”
Because it’s intended to be human readable it’s not “wrong” to set CN to " www.example.com" (that’s a space at the start) or “10.20.30.40-43” or “wWw.Example.ORG” and so to continue this way everybody would need a fairly complicated parser, and every issuer needs to be especially careful to only emit things that work with the common parsers out there. In the past for example it was found that some web browsers treated a NUL (zero byte) ASCII character as the end of the domain name in a Common Name.
So, back in the 1990s PKIX (the Internet’s standardisation of X.509 for its use) creates Subject Alternative Names (SANs) which are typed names, such as IP address, DNS name, email address. Whereas a certificate can only have one Subject, and thus should only have one CN, it can have many SANs.
For backwards compatibility the standard suggests you can write one DNS name in the Subject CN but this deprecated, because after all, surely soon software will catch up and learn to read SANs, right? And almost two decades later we’re still doing the backward compatibility thing because there is still software which doesn’t understand SANs properly. Microsoft only recently began shipping operating systems that understand an IP address isn’t a text string. Similarly, some Certificate Authorities (not Let’s Encrypt, mostly smaller parochial ones these days) keep issuing certificates that don’t even fill out the SAN, so software had to keep checking CN even now.
Mozilla’s routine “communication to Certificate Authorities” (basically a letter they write asking each CA to fill out a web survey on practices and standards) has asked several times now for CAs to confirm they understand this rule and they will use SANs and not just rely on CN. Each time they get an affirmative answer but alas every year a few CAs manage not to quite do what they promised. “Oops” they say “Silly us. Don’t worry though, we know now”. Until next year.
