diff --git a/src/cert/acme.js b/src/cert/acme.js
index 089a05ff6..544eba164 100644
--- a/src/cert/acme.js
+++ b/src/cert/acme.js
@@ -318,6 +318,8 @@ function downloadCertificate(accountKeyPem, domain, outdir, callback) {
         var fullChainPem = Buffer.concat([certificatePem, chainPem]);
         if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
 
+        debug('downloadCertificate: cert file saved at %s', certificateFile);
+
         callback();
     });
 }
diff --git a/src/certificates.js b/src/certificates.js
index d22b4c8fc..9b859ea1a 100644
--- a/src/certificates.js
+++ b/src/certificates.js
@@ -164,14 +164,20 @@ function ensureCertificate(domain, callback) {
     settings.getTlsConfig(function (error, tlsConfig) {
         if (error) return callback(error);
 
-        if (tlsConfig.provider === 'caas') return callback(null, 'cert/host.cert', 'cert/host.key');
+        if (tlsConfig.provider === 'caas') {
+            debug('ensureCertificate: %s caas provider. using fallback certificate', domain);
+            return callback(null, 'cert/host.cert', 'cert/host.key');
+        }
 
         var certFilePath = path.join(paths.APP_CERTS_DIR, domain + '.cert');
         var keyFilePath = path.join(paths.APP_CERTS_DIR, domain + '.key');
 
-        if (fs.existsSync(certFilePath)) return callback(null, certFilePath, keyFilePath); // TODO: check if cert needs renewal
+        if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) {
+            debug('ensureCertificate: %s. certificate already exists at %s', domain, certFilePath);
+            return callback(null, certFilePath, keyFilePath); // TODO: check if cert needs renewal
+        }
 
-        debug('Using le-acme to get certificate');
+        debug('Using le-acme to get certificate for %s', domain);
 
         acme.getCertificate(domain, paths.APP_CERTS_DIR, function (error) { // TODO: Should use backend
             if (error) return callback(error);