Starting with Go 1.17 support for invalid certificates is going to be removed, see https://go.dev/doc/go1.17. This means that legacy certificates not having a SAN field but relying on the CN field will not be accepted by Go 1.17 based TLS clients any more. The temporary `GODEBUG=x509ignoreCN=0` environment variable has been removed as of Go 1.17.
Closing as with CURRENTRELEASE resolution as we can only implement preventive fixes in 4.9 only.