What we're trying to get at, is did you put together the certificates in that cacert file? Or did you get it from somewhere else?
If you did it, and all that it has in it is the "ISRG Root X1" certificate, then that should be good for "a while". But let me go over some of the ways that it might no longer be the root you need:
- If you decide to put your server on some other platform (maybe one of the big "cloud" platforms") that makes it easier to get a certificate from their system rather from Let's Encrypt, you might want to switch to that CA.
- If your embedded system supports ECDSA and does it more efficiently (in time/space/etc.) than RSA, you might want to switch your leaf to an ECDSA key and sign up to use the ECDSA intermediate as well, and then you would prefer to use the "ISRG Root X2" certificate in your cacert file.
- If Let's Encrypt had an extended outage, whether due to some major bug that took time to fix or because they just shut down from running out of money (it is a non-profit entirely dependent on donations, after all), you might need to switch to some other CA.
- If Let's Encrypt needed to revoke and replace its roots (maybe somehow there's a bug in the HSMs they use and they weren't generated with the correct amount of randomness, or maybe some malicious actor does a "mission impossible" that breaks into their secure datacenter and manages to steal the root keys, or maybe there's just some change in the rules CAs need to follow and to comply they need to make new keys), you'd need to put their new root in.
- Roots do expire, and ISRG Root X1 only has 13½ years left, so if your system may still be around in a decade then it'll definitely be wanting to move at some point to some other root. (Yeah, I know a decade is like forever in Internet Time, but systems have a way of sticking around much longer than some people might expect.)
Now, I don't know as any of those are especially likely for your use case. And if this is a device that's "sitting on your desk" or the like and relatively easy to update with physical access, then it may make sense to just keep the one root in there and just plan to update it if you need to. But if this is a device that's out "in the field" somewhere, and especially if it's relying on this secure connection in order to get updates at all, then you want to do a bit more contingency planning. You'd probably want at least two different CAs, to improve the likelihood that at least one of them was something you could be sure to get a certificate for in the future. You may even want to create your own CA to put as a root on the device, even if it's just as a "backup plan". A Let's Encrypt engineer replied to a similar question here with some recommended software for making your own CA as a backup for this sort of embedded systems scenario.
And whatever you do, ensure that it's only root certificates in the trust store, and not the intermediates or leaf certificates. Those can (and do) change all the time. Intermediates should be sent by the server as part of the TLS handshake, and the client should only need the root in order to validate the connection.