Customers cannot access sites who's certificate CA is YE1 as it is missing from our firewall and needs to be added manually. The CA needs to be in Base64 format.
All the certificates and intermediates are available on the Chains of Trust documentation page. But firewalls shouldn't need to do anything special for it; do you need to add every root and/or intermediate from every CA to it? Are you building a custom trust store? If you say more details about what firewall and how it's configured, people might be able to help you configure it in such a way that it doesn't need updates every time any CA makes any change.
yup sorry just found it 
@tcsr121 welcome to the community! 
When the firewall acquired a recent Letsencrypt certificate, the signing certificate (YE1) came with it in the certificate chain. Better to use the chain automatically instead of explicit download, the signing certificate may change in the future.
To be clear:
YE1 is an intermediate cert [not a trusted root CA]
It is signed by: ISRG Root YE [a trusted root CA]
It should not be required for anyone to add intermediate certs anywhere.