That's weird... 
"DST Root CA X3" is a root operated by IdenTrust that signs the Let's Encrypt intermediates. As far as i know, they've never capitalized it "DST root CA X3". Is that a transcription error or is that what the error message said?
Root CRLs aren't even usually updated very frequently. (The current one in question is valid for 30 days, though i don't know how often it's replaced.)
I'd guess that the MikroTik's CRL software isn't configured to recognize DST Root CA X3 as a valid CA, or that it has a bug, but i dunno. You may need to ask MikroTik support.
Let's Encrypt doesn't inherently limit where you create or install certificates. Many ACME clients only (conveniently) support certain environments, but the CA doesn't inherently care. You can run a client on one server, copy the HTTP-01 challenge file to a second server for validation, and copy the certificate and key to a third server, if you wanted to. (certbot certonly --manual can do it, but it would be a very manual process, or require some scripting on your part. Some clients come with more built-in support.)
(HTTP-01 was only used as an example. It would be similar for DNS-01.)
Some hosting companies may limit what you can do with a certificate by keeping the private key from you, and some CAs may have restrictive licensing terms, but Let's Encrypt doesn't, and certificates and keys are just data structures in files, so you can copy them around to different computers if you want.
A more complicated setup may make it difficult to automate certificate renewal, though. And Let's Encrypt certificates expire every 90 days.
It doesn't matter. If using HTTP-01 or TLS-SNI-01 validation, the A/AAAA/CNAME record(s) have to function during the moments a validation is being performed, but beyond that it doesn't matter. For DNS-01, it never matters.
You wouldn't need any A, AAAA or CNAME records.
No. A validation can be reused for a certain amount of time (currently 30 days, but subject to change), but it will have expired long before you usually want to renew, so you'll have to validate all over again. When using DNS-01, that would mean setting a new TXT record with a different value. (HTTP-01 or TLS-SNI-01 would likewise require new values.)
No. Let's Encrypt only does anything during the moments when you're performing a validation (when creating or renewing a certificate). Outside of those seconds, the Let's Encrypt servers don't need to access your services.
For HTTP-01 and TLS-SNI-01 validation, Let's Encrypt needs to access your site on ports 80 and 443 respectively. For DNS-01, well, it just needs to be able to make the DNS queries.
The IPs of the validation servers are undisclosed and subject to change.
One certificate can have up to 100 names, from 1 or more domains. (example.com, www.example.com, www2.example.com, xyz.example.net...)
Let's Encrypt doesn't support wildcards certificates (*.example.com) but will starting in January.
You can copy a certificate to several computers if you want.
You can also issue a fairly large number of certificates, subject to the rate limits.