@kajer @cR0w I just spoke with someone from let's encrypt who has looked at the relevant code in a number of implementations and they confirm CIDR ranges aren't honored in SANs.
If I had an exploit which would allow this, I would now be dropping it because it would be funny, but alas...