diff --git a/src/apptask.js b/src/apptask.js
index 8ba21661e..7c72fdbab 100644
--- a/src/apptask.js
+++ b/src/apptask.js
@@ -116,7 +116,7 @@ function configureReverseProxy(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    reverseProxy.configureApp(app, callback);
+    reverseProxy.configureApp(app, { userId: null, username: 'apptask' }, callback);
 }
 
 function unconfigureReverseProxy(app, callback) {
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 36cf4ca74..f426e4159 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -317,8 +317,9 @@ function getCertificate(app, callback) {
     callback(null, path.join(paths.NGINX_CERT_DIR, `${app.domain}.host.cert`), path.join(paths.NGINX_CERT_DIR, `${app.domain}.host.key`));
 }
 
-function ensureCertificate(app, callback) {
+function ensureCertificate(app, auditSource, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     var vhost = app.altDomain || app.intrinsicFqdn;
@@ -349,7 +350,13 @@ function ensureCertificate(app, callback) {
         debug('ensureCertificate: getting certificate for %s with options %j', vhost, apiOptions);
 
         api.getCertificate(vhost, apiOptions, function (error, certFilePath, keyFilePath) {
-            if (error) debug('ensureCertificate: could not get certificate. using fallback certs', error);
+            if (error) {
+                debug('ensureCertificate: could not get certificate. using fallback certs', error);
+                mailer.certificateRenewalError(vhost, errorMessage);
+            }
+
+            var errorMessage = error ? error.message : '';
+            eventlog.add(eventlog.ACTION_CERTIFICATE_RENEWAL, auditSource, { domain: vhost, errorMessage: errorMessage });
 
             // if no cert was returned use fallback. the fallback/caas provider will not provide any for example
             if (!certFilePath || !keyFilePath) {
@@ -388,21 +395,24 @@ function configureAdminInternal(certFilePath, keyFilePath, configFileName, vhost
     reload(callback);
 }
 
-function configureAdmin(callback) {
+function configureAdmin(auditSource, callback) {
+    assert.strictEqual(typeof auditSource, 'function');
     assert.strictEqual(typeof callback, 'function');
 
-    ensureCertificate({ domain: config.adminDomain(), location: config.adminLocation(), intrinsicFqdn: config.adminFqdn() }, function (error, certFilePath, keyFilePath) {
+    var adminApp = { domain: config.adminDomain(), intrinsicFqdn: config.adminFqdn() };
+    ensureCertificate(auditSource, adminApp, function (error, certFilePath, keyFilePath) {
         if (error) return callback(error);
 
         configureAdminInternal(certFilePath, keyFilePath, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn(), callback);
     });
 }
 
-function configureApp(app, callback) {
+function configureApp(app, auditSource, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    ensureCertificate(app, function (error, certFilePath, keyFilePath) {
+    ensureCertificate(app, auditSource, function (error, certFilePath, keyFilePath) {
         if (error) return callback(error);
 
         var sourceDir = path.resolve(__dirname, '..');
diff --git a/src/setup.js b/src/setup.js
index 835f5ff8b..eb6523742 100644
--- a/src/setup.js
+++ b/src/setup.js
@@ -129,7 +129,7 @@ function configureWebadmin(callback) {
     function configureReverseProxy(error) {
         debug('configureReverseProxy: dns update: %j', error || {});
 
-        reverseProxy.configureAdmin(function (error) {
+        reverseProxy.configureAdmin({ userId: null, username: 'setup' }, function (error) {
             if (error) return done(error);
 
             gWebadminStatus.tls = true;