diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index b5da6215b..88337000e 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -352,7 +352,7 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
         getCertApi(domainObject, function (error, api, apiOptions) {
             if (error) return callback(error);
 
-            getCertificateByHostname(vhost, domainObject, function (error, currentBundle) {
+            getCertificateByHostname(vhost, domainObject, function (_error, currentBundle) {
                 if (currentBundle) {
                     debug(`ensureCertificate: ${vhost} certificate already exists at ${currentBundle.keyFilePath}`);
 
@@ -370,6 +370,11 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
 
                     eventlog.add(currentBundle ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: vhost, errorMessage: error ? error.message : '' });
 
+                    if (error && currentBundle && !isExpiringSync(currentBundle.certFilePath, 0)) {
+                        debug('ensureCertificate: continue using existing bundle since renewal failed');
+                        return callback(null, currentBundle, { renewed: false });
+                    }
+
                     notifyCertChanged(vhost, function (error) {
                         if (error) return callback(error);