SSL with Let's Encrypt server certificates, no client authentication
We are trying to configure a multi-client-server setup to communicate using SSL without client authentication. If I understand this paradigm correctly from here, this means that we only need a certificate for the server, which is the one to be authenticated. Then, when the client needs to authenticate the server upon starting the connection, the server sends its certificate to the client, which shall then be validated by the client. Am I correct so far?
If so, at this point I have a question. Reading from several posts in the forum, I somehow understand that, even when the client is not to be authenticated by the server (for which the server is to be configured with e.g. "IceSSL.VerifyPeer=1"), the client still needs to be provided a file with the server's public key (using the IceSSL.CertAuthFile property). My question is: why does the client need this certificate? Isn't the server sending it?
What we are ultimately trying is to set up our server to use Let's Encrypt certificates, which are automatically renewed every 90 days, and the clients to seamlessly adapt to the server certificate renewals. Our client applications are mobile devices, and we cannot update their configuration once the app has been deployed.
So, can somebody please explain:
1 - Why the clients need the server's public certificate? Can you point to some documentation somewhere?
2 - How to configure the client and server to use Let's Encrypt certificates? Can somebody please give a concrete configuration example?