diff --git a/src/cert/acme2.js b/src/cert/acme2.js
index 9bd73ec9c..44879278f 100644
--- a/src/cert/acme2.js
+++ b/src/cert/acme2.js
@@ -481,6 +481,8 @@ Acme2.prototype.prepareChallenge = function (hostname, domain, authorizationUrl,
     assert.strictEqual(typeof authorizationUrl, 'string');
     assert.strictEqual(typeof callback, 'function');
 
+    debug(`prepareChallenge: http: ${this.performHttpAuthorization}`);
+
     const that = this;
     superagent.get(authorizationUrl).timeout(30 * 1000).end(function (error, response) {
         if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, 'Network error when preparing challenge'));
@@ -502,6 +504,8 @@ Acme2.prototype.cleanupChallenge = function (hostname, domain, challenge, callba
     assert.strictEqual(typeof challenge, 'object');
     assert.strictEqual(typeof callback, 'function');
 
+    debug(`cleanupChallenge: http: ${this.performHttpAuthorization}`);
+
     if (this.performHttpAuthorization) {
         this.cleanupHttpChallenge(hostname, domain, challenge, callback);
     } else {
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index f8b94bb3b..b5da6215b 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -333,6 +333,8 @@ function notifyCertChanged(vhost, callback) {
     assert.strictEqual(typeof vhost, 'string');
     assert.strictEqual(typeof callback, 'function');
 
+    debug(`notifyCertChanged: vhost: ${vhost} mailFqdn: ${settings.mailFqdn()}`);
+
     if (vhost !== settings.mailFqdn()) return callback();
 
     mail.handleCertChanged(callback);
@@ -364,6 +366,8 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
                 debug('ensureCertificate: getting certificate for %s with options %j', vhost, apiOptions);
 
                 api.getCertificate(vhost, domain, apiOptions, function (error, certFilePath, keyFilePath) {
+                    debug(`ensureCertificate: error: ${error ? error.message : 'null'} cert: ${certFilePath}`);
+
                     eventlog.add(currentBundle ? eventlog.ACTION_CERTIFICATE_RENEWAL : eventlog.ACTION_CERTIFICATE_NEW, auditSource, { domain: vhost, errorMessage: error ? error.message : '' });
 
                     notifyCertChanged(vhost, function (error) {
@@ -371,6 +375,8 @@ function ensureCertificate(vhost, domain, auditSource, callback) {
 
                         if (certFilePath && keyFilePath) return callback(null, { certFilePath, keyFilePath }, { renewed: true });
 
+                        debug(`ensureCertificate: renewal of ${vhost} failed. using fallback certificates for ${domain}`);
+
                         // if no cert was returned use fallback. the fallback/caas provider will not provide any for example
                         getFallbackCertificate(domain, function (error, bundle) {
                             if (error) return callback(error);