IOT Devices with X3 certificate embedded

Unfortunately, you're going to run into problems earlier than you think, for a different reason. "Let's Encrypt Authority X3" is not a long-lived root certificate, it's an intermediate certificate. We issue from intermediates, but they are trusted because they are in turn signed by root certificates. Intermediates change more often than root certificates.

Specifically, on December 1 we started issuing from our newer R3 intermediate. That intermediate is signed by our "ISRG Root X1" root, just like Let's Encrypt Authority X3. But because your devices do not trust "ISRG Root X1," they will not trust certificates issued by R3.

Do your devices talk to a single API server? What's the hostname for that server, and how long is left on the lifetime for that server's certificate? This will become a problem for you when you next rotate certificates on that server. Normally that happens 60 days after the last certificate was issued, but in a pinch, you can stretch it out all the way to the NotAfter date on the certificate.