Let's Encrypt is a new CA (Certificate authority) thus it's signing certificate is not installed very widely. This means that many machines do not know that it is to be trusted.
To cure this Let's Encrypt certificate is cross signed by IdenTrust who's certifcate is widely trusted.
So: Let's Encrypt's IdenTrust signed certificate must be given to the connecting client (eg web browser) when a Let's Encrypt signed certificate is given to the client. This is called certificate chaining.
Long term the Let's Encrypt certificate will become widely trusted in it own right.
Apache is easy, the directive
SSLCertificateChainFile is used, see here.
Many other programs do not have a directive like
For these the chain certificate should be put after the Let's Encrypt signed certificate (ie your certificate) in the same file.
These scripts create such a file for you, it has
-chained as part of the name.