Based on the Letsencrypt chain of trust here: https://letsencrypt.org/certificates/
I downloaded and pinned the ISRG Root X1 certificate in my client application in order to only initiate a TLS connection to my server if the server has a valid certificate from LetsEncrypt, rejecting any other CAs. However the certificate returned by the server doesn't seem to be signed with this root. The chain is:
My domain -> R3 -> IdenTrust DST Root CA X3
Switching out my pinned certificate for the IdenTrust one results in a succesful TLS connection. But from the image at https://letsencrypt.org/certificates/ it looks like the ISRG Root X1 should be signing the R3 certificate as well. I'm not sure if I'm missing something.