diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index e4705c131..a5baf06bb 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -157,6 +157,16 @@ function validateCertificate(subdomain, domain, certificate) {
     return null;
 }
 
+async function notifyCertChange() {
+    // let other parts of code know about any cert changes. apptask can trigger a renewal, provider can change, for example
+    await mail.handleCertChanged();
+    await shell.promises.sudo('notifyCertChange', [ RESTART_SERVICE_CMD, 'box' ], {}); // directory server
+    const allApps = (await apps.list()).filter(app => app.runState !== apps.RSTATE_STOPPED);
+    for (const app of allApps) {
+        if (app.manifest.addons?.tls) await setupTlsAddon(app);
+    }
+}
+
 async function reload() {
     if (constants.TEST) return;
 
@@ -206,6 +216,7 @@ async function setFallbackCertificate(domain, certificate) {
     if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, `${domain}.host.key`), certificate.key)) throw new BoxError(BoxError.FS_ERROR, safe.error.message);
 
     await reload();
+    await notifyCertChange();
 }
 
 async function restoreFallbackCertificates() {
@@ -391,6 +402,8 @@ async function ensureCertificate(location, auditSource) {
     const [error] = await safe(acme2.getCertificate(fqdn, domainObject));
     debug(`ensureCertificate: error: ${error ? error.message : 'null'}`);
 
+    if (!error) await notifyCertChange();
+
     await safe(eventlog.add(eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: fqdn, errorMessage: error?.message || '' }));
 }
 
@@ -620,16 +633,10 @@ async function checkCerts(options, auditSource, progressCallback) {
             await writeAppConfigs(app);
         }
         await writeDashboardConfig(settings.dashboardDomain());
+        await notifyCertChange(); // this allows user to "rebuild" using UI just in case we crashed and went out of sync
         safe.fs.unlinkSync(paths.REVERSE_PROXY_REBUILD_FILE);
     }
 
-    // let other parts of code know about any cert changes. apptask can trigger a renewal, provider can change, for example
-    await mail.handleCertChanged();
-    await shell.promises.sudo('rebuildConfigs', [ RESTART_SERVICE_CMD, 'box' ], {}); // directory server
-    for (const app of allApps) {
-        if (app.manifest.addons?.tls) await setupTlsAddon(app);
-    }
-
     await cleanupCerts(locations, auditSource, progressCallback);
 }