If you look in the certificate store of your browser there are a number of issuing authorities that the browser will treat as valid source-of-truth providers for SSL certs. If a certificate doesn’t come from one of those, or is expired, or revoked the browser will throw up an alert to let the user know of the problem. Let’s Encrypt is a group created to issue these certs in an automated fashion just like the traditional CAs. Really it’s just a matter of which CAs are acceptable. Some organizations will remove trust for certain entities (Symantec for a while had removed the US Gov from the trusted issuers bundle for their Bluecoat proxies) if they deem an authority as suspect or potentially compromised. There wad also an incident several years ago where a major issuer had sent out an intermediate CA pair that a buisines ended up putting on a proxy that routed a big chunk of public traffic through effectively breaking the user’s encryption. That CA got banished from the common browsers shortly after.