> Sure, what's wrong with that?

Nothing, in principle. I suppose you can use that to validate domain ownership, or use Let's Encrypt as a weird authentication service for your cluster. However, it's not exactly common to do so as far as I can tell.

> Currently servers can simply keep an up to date CA store (which is common and easy), and check the subject name, freeing the client to easily rotate their cert.

I understand the ease of use in that approach, but it leaves your authentication wide open to rogue certificates, i.e. through old DNS entries on a subdomain, or accidentally letting someone read email destined to hostmaster@domain.tld, or maybe by a rogue CA if you want to go full conspiracy mode.

As for pinning: you're required to pick a key store anyway, you can just point it at whatever CA file you want.

As for automated rotation: you can host your own ACME server for your own CA (it's like 10 lines of config in Caddy) and have other servers point an account on their certbot/acme.sh/etc. at it. This gives you even more control and lets you decide how long you want certificates to last.

It's not as easy as relying on CAs to do that validation for you, but also much better than the old-fashioned manual key configuration of yore.