diff --git a/src/certificates.js b/src/certificates.js
index e1b6b8c87..6892c92b9 100644
--- a/src/certificates.js
+++ b/src/certificates.js
@@ -212,7 +212,7 @@ function renewAll(auditSource, callback) {
 
                     // reconfigure and reload nginx. this is required for the case where we got a renewed cert after fallback
                     var configureFunc = app.location === constants.ADMIN_LOCATION ?
-                        nginx.configureAdmin.bind(null, certFilePath, keyFilePath, config.adminFqdn())
+                        nginx.configureAdmin.bind(null, certFilePath, keyFilePath, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn())
                         : nginx.configureApp.bind(null, app, certFilePath, keyFilePath);
 
                     configureFunc(function (ignoredError) {
@@ -313,7 +313,7 @@ function setAdminCertificate(cert, key, callback) {
     if (!safe.fs.writeFileSync(certFilePath, cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
     if (!safe.fs.writeFileSync(keyFilePath, key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
 
-    nginx.configureAdmin(certFilePath, keyFilePath, config.adminFqdn(), callback);
+    nginx.configureAdmin(certFilePath, keyFilePath, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn(), callback);
 }
 
 function getAdminCertificatePath(callback) {
diff --git a/src/cloudron.js b/src/cloudron.js
index 34a1b02da..d6871ba6f 100644
--- a/src/cloudron.js
+++ b/src/cloudron.js
@@ -194,17 +194,24 @@ function configureAdmin(callback) {
     sysinfo.getIp(function (error, ip) {
         if (error) return callback(error);
 
-        // always setup cert and nginx config for ip
-        // TODO we should only regenerate the cert if the ip changes?
-        var certFilePath = path.join(paths.NGINX_CERT_DIR, IP_BASED_SETUP_NAME + '.cert');
-        var keyFilePath = path.join(paths.NGINX_CERT_DIR, IP_BASED_SETUP_NAME + '.key');
-        var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=%s -nodes', keyFilePath, certFilePath, ip);
+        var certFilePath = path.join(paths.NGINX_CERT_DIR, IP_BASED_SETUP_NAME + '-' + ip + '.cert');
+        var keyFilePath = path.join(paths.NGINX_CERT_DIR, IP_BASED_SETUP_NAME + '-' + ip + '.key');
 
-        safe.child_process.execSync(certCommand);
+        // check if we already have a cert for this IP, otherwise create one, this is mostly useful for servers with changing IPs
+        if (!fs.existsSync(certFilePath) || !fs.existsSync(keyFilePath)) {
+            debug('configureAdmin: create new cert for %s', ip);
 
-        nginx.configureAdmin(certFilePath, keyFilePath, ip, callback);
+            var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=%s -nodes', keyFilePath, certFilePath, ip);
+            safe.child_process.execSync(certCommand);
+        }
+
+        // always create a configuration for the ip
+        nginx.configureAdmin(certFilePath, keyFilePath, IP_BASED_SETUP_NAME + '.conf', ip, function (error) {
+            if (error) return callback(error);
+
+            // skip my.domain.com setup if we don't have a domain
+            if (!config.fqdn()) return callback(null);
 
-        if (config.fqdn()) {
             gConfigState.domain = config.fqdn();
 
             subdomains.waitForDns(config.adminFqdn(), ip, 'A', { interval: 30000, times: 50000 }, function (error) {
@@ -220,10 +227,10 @@ function configureAdmin(callback) {
 
                     gConfigState.tls = true;
 
-                    nginx.configureAdmin(certFilePath, keyFilePath, config.adminFqdn(), callback);
+                    nginx.configureAdmin(certFilePath, keyFilePath, constants.NGINX_ADMIN_CONFIG_FILE_NAME, config.adminFqdn(), callback);
                 });
             });
-        }
+        });
     });
 }
 
diff --git a/src/constants.js b/src/constants.js
index 1d9f32a05..1ca6b27cf 100644
--- a/src/constants.js
+++ b/src/constants.js
@@ -26,6 +26,8 @@ exports = module.exports = {
 
     ADMIN_GROUP_ID: 'admin',
 
+    NGINX_ADMIN_CONFIG_FILE_NAME: 'admin.conf',
+
     GHOST_USER_FILE: '/tmp/cloudron_ghost.json',
 
     DEFAULT_TOKEN_EXPIRATION: 7 * 24 * 60 * 60 * 1000, // 1 week
diff --git a/src/nginx.js b/src/nginx.js
index 9f6b45327..033b2bd17 100644
--- a/src/nginx.js
+++ b/src/nginx.js
@@ -20,9 +20,10 @@ exports = module.exports = {
 var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
     RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh');
 
-function configureAdmin(certFilePath, keyFilePath, vhost, callback) {
+function configureAdmin(certFilePath, keyFilePath, configFileName, vhost, callback) {
     assert.strictEqual(typeof certFilePath, 'string');
     assert.strictEqual(typeof keyFilePath, 'string');
+    assert.strictEqual(typeof configFileName, 'string');
     assert.strictEqual(typeof vhost, 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -36,7 +37,7 @@ function configureAdmin(certFilePath, keyFilePath, vhost, callback) {
         xFrameOptions: 'SAMEORIGIN'
     };
     var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
-    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, 'admin.conf');
+    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, configFileName);
 
     if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(safe.error);