diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 5d8bb42ca..cdc3eb747 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -124,7 +124,7 @@ function providerMatchesSync(domainObject, certFilePath, apiOptions) {
     const domain = subject.substr(subject.indexOf('=') + 1).trim(); // subject can be /CN=, CN=, CN = and other forms
     const issuer = subjectAndIssuer.match(/^issuer=(.*)$/m)[1];
     const isWildcardCert = domain.includes('*');
-    const isLetsEncryptProd = issuer.includes('Let\'s Encrypt');
+    const isLetsEncryptProd = issuer.includes('Let\'s Encrypt') && !issuer.includes('STAGING');
 
     const issuerMismatch = (apiOptions.prod && !isLetsEncryptProd) || (!apiOptions.prod && isLetsEncryptProd);
     // bare domain is not part of wildcard SAN
@@ -663,13 +663,8 @@ function renewCerts(options, auditSource, progressCallback, callback) {
                 debug(`renewCerts: creating new nginx config since ${appDomain.nginxConfigFilename} does not have ${bundle.certFilePath}`);
 
                 // reconfigure since the cert changed
-                if (appDomain.type === 'webadmin') {
+                if (appDomain.type === 'webadmin' || appDomain.type === 'webadmin+mail') {
                     return writeDashboardNginxConfig(bundle, `${settings.adminFqdn()}.conf`, settings.adminFqdn(), iteratorCallback);
-                } else if (appDomain.type === 'webadmin+mail') {
-                    return async.series([
-                        mail.handleCertChanged,
-                        writeDashboardNginxConfig.bind(null, bundle, `${settings.adminFqdn()}.conf`, settings.adminFqdn())
-                    ], iteratorCallback);
                 } else if (appDomain.type === 'primary') {
                     return writeAppNginxConfig(appDomain.app, appDomain.fqdn, bundle, iteratorCallback);
                 } else if (appDomain.type === 'alternate') {
@@ -687,7 +682,7 @@ function renewCerts(options, auditSource, progressCallback, callback) {
             if (renewed.length === 0) return callback(null);
 
             async.series([
-                (next) => { return renewed.includes(settings.mailFqdn()) ? mail.handleCertChanged(next) : next(); },// mail cert renewed
+                (next) => { if (renewed.includes(settings.mailFqdn())) mail.handleCertChanged(next); else next(); }, // mail cert renewed
                 reload, // reload nginx if any certs were updated but the config was not rewritten
                 (next) => { // restart tls apps on cert change
                     const tlsApps = allApps.filter(app => app.manifest.addons && app.manifest.addons.tls && renewed.includes(app.fqdn));