Scep server reports wrong tag in my csr request

Question

I'm trying to get a certificate from a SCEP Server. I prepared a CSR using openssl.

openssl req -new -newkey rsa:2048 -keyout server.key -out server.csr

Here's my CSR:

-----BEGIN CERTIFICATE REQUEST-----
MIIC+TCCAeECAQAwgZUxCzAJBgNVBAYTAlBMMRMwEQYDVQQIEwpTb21lLVN0YXRl
MRMwEQYDVQQHEwpXYXJyaW5ndG9uMRIwEAYDVQQKEwlNeUNvbXBhbnkxDzANBgNV
BAsTBk15VW5pdDERMA8GA1UEAxMIU29tZU5hbWUxJDAiBgkqhkiG9w0BCQEWFWRl
dmVsb3BlckBjb21wYW55LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJyfp+vXLET+cXhXlcP61jQPw2+34kEij36/CeR6qAt4h827o28OsyTJ0hLT
ej7HlwVO4j0Hj9bngdt9bGtCdkx3jtEEVBKrhwD0ZAVP4MTkAEAjoS4SA55YBVCQ
evTTyWxD7yYQDtcg7lg5blsAISXTH5+bO1qgyvAthb1DpcztIYymOB3iw74+pFMN
zcatbFPKeNJMo75fHdEagUr6nHaSmdPRMfkvupbU5j3DQ6TSl8dPG4FEJBzIlMm0
q+/y8F+qmQgac/vkzUiNCF36Iro9eWvuZ5N9z0fpVWDfaKLKwj6oFTL9U4z9KjnU
k8mM4peSA71d9iLMd+I+CFcZzx0CAwEAAaAeMBwGCSqGSIb3DQEJBzEPEw1Tb21l
Q2hhbGxlbmdlMA0GCSqGSIb3DQEBCwUAA4IBAQBeMCQb8meAL3LVqYMMGrt2WuNf
Kviw/HGVygiFN9E0AdO/6OEYiERo9bRq1PFToTtzN6BDm96lIUdexczYNBMQssjW
C1qTOHKKttLK0FUuhQtoZJTGnB4VTjiuBStQtGx+8OIULlJoCwFJUAMUqzllAs60
oT8QTLbfeoyRZOhOmK6b0/9l6sH1ltfULjNyOiDuIeUfzyWzk3zWZEq+iFx59U5g
iLnlCKMRhlYx3FIXRkboCeqEhnelU4KqPK9PmrzhdFHpiTzFIs3AnLXD8HOcmMSE
uHvoibbB4rPHpiZ6q9rjSAJefOjk+0o6kJrj/FoD0JWDKJkqyslSfY31QYtL
-----END CERTIFICATE REQUEST-----

Now, when I send that to the SCEP Server, I'm getting an error in response:

asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificateRequest @2

I looked a bit into ASN.1 tags table (https://www.obj-sys.com/asn1tutorial/node124.html) and source code of Go SCEP Server (https://golang.org/src/encoding/asn1/asn1.go) (look for "tags don't match") and I understand that the server expected to see a SEQUENCE and instead it got an INTEGER.

I used a ASN.1 decoder and I saw that in the structure there is some INTEGER with VALUE=0:

//EDIT: Probably it's just a CSR version (always 0)

I do not know what is its purpose. I tried removing that integer, moving it to other place, however, nothing helped. I would be quite surprised if openSSL produced a wrong CSR. Do you maybe have some idea what could be wrong here?