Yeah, ultimately, it’s up to your config to prevent a cert from being renewed, although, I think, given recent improvements in on-demand TLS, we can do better in a few ways:
- Currently on-demand certs are renewed in the background with other ones, if they are already in memory. We can skip maintaining on-demand certs in the background renewal routine and let handshakes trigger maintenance instead.
- By doing maintenance in the handshakes, the
askendpoint will be invoked before all renewals of on-demand certs.