diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 0e9627f79..3b06f58d7 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -253,12 +253,21 @@ function getAcmeCertificateNameSync(fqdn, domainObject) {
     }
 }
 
-function needsRenewalSync(cert) {
+function needsRenewalSync(cert, options) {
     assert.strictEqual(typeof cert, 'string');
+    assert.strictEqual(typeof options, 'string');
 
-    const { endDate } = getCertificateDatesSync(cert);
-    const isExpiring = (endDate - new Date()) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
-    debug(`needsRenewal: ${isExpiring}`);
+    const { startDate, endDate } = getCertificateDatesSync(cert);
+    const now = new Date();
+
+    let isExpiring;
+    if (options.forceRenewal) {
+        isExpiring = (now - startDate) > (5 * 60 * 1000); // was renewed 5 minutes ago
+    } else {
+        isExpiring = (endDate - now) <= (30 * 24 * 60 * 60 * 1000); // expiring in a month
+    }
+
+    debug(`needsRenewal: ${isExpiring}. force: ${!!options.forceRenewal}`);
     return isExpiring;
 }
 
@@ -407,7 +416,7 @@ async function ensureCertificate(location, options, auditSource) {
     const cert = await blobs.getString(`${blobs.CERT_PREFIX}-${certName}.cert`);
 
     if (key && cert) {
-        if (!options.forceRenewal && providerMatchesSync(domainObject, cert) && !needsRenewalSync(cert)) { // force is for e2e
+        if (providerMatchesSync(domainObject, cert) && !needsRenewalSync(cert, options)) {
             debug(`ensureCertificate: ${fqdn} acme cert exists and is up to date`);
             return;
         }