Currently, only the intermediary chain can be retrieved from ACME protocol (via /acme/issuer-cert), without the root LE cert.
On production, you can hardcode the root cert (via https://letsencrypt.org/certs/isrgrootx1.pem) on your automation tool, but on pre-prod (staging LE) or internal dev (custom boulder CA), it’s difficult to handle correctly the root selection.
Root is needed for cert pinning/HPHP or DANE/TLSA, even more in the case of private key renewal each 90d (very risky/error-prone to pin the key, you need to pin an intermediary (with trouble if changed) or better the root cert).
Why not include a /acme/root-cert/ on ACME protocol ?
Don’t do this with key renew 60d or 90d.
HPKP doesnt support key change from last change to last change + max age. See here.
Having 90d max-age with 60d key renew is a non sense (risk of HPKP break for clients).
Having 90d max-age with 90d key renew put you vulnerable all the time (no way to renew the key before 90d after the last renew, key renew each 90d).
To have HPKP working correctly, you need key renewal >>> max-age (for example max-age 90d with key renew 1y = protected 75% of the time, and 98% with 10y key renew).
The best with HPKP is to have stable key ’til compromission or weakness.