I just downloaded isrgrootx1.pem, lets-encrypt-x1-cross-signed.pem, and lets-encrypt-x2-cross-signed.pem. Thank you for using SHA256 instead of SHA-1. I thought I would inquire why you picked 2048-bit RSA for your CA. I understand that 2048-bit RSA is probably sufficient for most websites (equivalent in strength to 112-bit symmetric cryptography), but I would think you would want the CA to be a bit stronger, especially since you have an expiration date for 2035 on isrgrootx1.pem (2020 for X1 and X2). For example, the NSA requires 3072-bit RSA (equivalent to AES128 in strength) or P-384 (equivalent to AES192 in strength) with SHA384 for TOP SECRET, which would seem to be the appropriate equivalent for a CA.

When you offer EC certificates, which curves will you use for Root, X1/X2? Given the smaller size of EC certs, I think you can afford P-512 or P-384 for Root.

(equivalent strengths taken from NIST SP800-57part1rev3 Table 2)