Supplying a certificate in the certificate chain that is expected to be in the trusted root CA store is very much not “doing the right thing”.
Let’s take a look at the certificate chain from letsencrypt.org itself: SSL Server Test: letsencrypt.org (Powered by Qualys SSL Labs)
Hey, look. They’re doing the same, the certificate chain is identical (except for the server cert of course).
So either your devops guy is wrong, or CDCK and LetsEncrypt and Qualys are wrong.
Tell him to update the root CA store. It will resolve the issue. Believe me.