Why is RENEW_PRIVATE_KEYS Globally Set Only?

[CrypticCommit]

trafficstars

Hi there,

I’m curious why the RENEW_PRIVATE_KEYS option can only be set globally and not on a per-container basis. Wouldn't it make more sense to have this configurable for each container?

My use case involves securing a single service (rspamd with Anonaddy) using TLSA/DANE, as I believe (too) many mail servers still accept self-signed certificates. If that's true(?), I would prefer to keep the existing key for the mail server while renewing the keys with each certificate for my other web services.

Additionally, I couldn't find any documentation on running two instances of acme-companion in parallel, where I could reuse the key specifically for the rspamd/mail instance. That could be another potential solution.

Alternatively, should I just set RENEW_PRIVATE_KEYS to false, switch to ec-384, and not worry about it further?

Thanks for your advice and help!