Currently, only the intermediary chain can be retrieved from ACME protocol (via
/acme/issuer-cert), without the root LE cert.
On production, you can hardcode the root cert (via https://letsencrypt.org/certs/isrgrootx1.pem) on your automation tool, but on pre-prod (staging LE) or internal dev (custom boulder CA), it’s difficult to handle correctly the root selection.
Root is needed for cert pinning/HPHP or DANE/TLSA, even more in the case of private key renewal each 90d (very risky/error-prone to pin the key, you need to pin an intermediary (with trouble if changed) or better the root cert).
Why not include a
/acme/root-cert/ on ACME protocol ?