diff --git a/CHANGES b/CHANGES
index e6a585b11..b26cdb9c3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2415,4 +2415,5 @@
 * add a way for admins to set username when profiles are locked
 * Add support for secondary domains
 * postgresql: enable postgis
+* remove nginx config of stopped apps
 
diff --git a/src/apptask.js b/src/apptask.js
index a490e9c47..ffa60a43a 100644
--- a/src/apptask.js
+++ b/src/apptask.js
@@ -689,6 +689,7 @@ async function stop(app, args, progressCallback) {
     assert.strictEqual(typeof progressCallback, 'function');
 
     await progressCallback({ percent: 20, message: 'Stopping container' });
+    await reverseProxy.unconfigureApp(app); // removing nginx configs also means that we can auto-cleanup old certs since they are not referenced
     await docker.stopContainers(app.id);
 
     await progressCallback({ percent: 50, message: 'Stopping app services' });
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 132f34f6a..d7b23a739 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -672,6 +672,7 @@ async function cleanupCerts() {
             const fqdn = certFilename.replace(/\.cert$/, '');
             debug(`cleanupCerts: deleting certs of ${fqdn}`);
 
+            // it is safe to delete the certs of stopped apps because their nginx configs are removed
             safe.fs.unlinkSync(certFilePath);
             safe.fs.unlinkSync(path.join(paths.NGINX_CERT_DIR, `${fqdn}.key`));
             safe.fs.unlinkSync(path.join(paths.NGINX_CERT_DIR, `${fqdn}.csr`));