diff --git a/src/certificates.js b/src/certificates.js
index 46bdabe9b..f3a120cff 100644
--- a/src/certificates.js
+++ b/src/certificates.js
@@ -99,7 +99,7 @@ function ensureFallbackCertificate(callback) {
     var fallbackCertPath = path.join(paths.NGINX_CERT_DIR, 'host.cert');
     var fallbackKeyPath = path.join(paths.NGINX_CERT_DIR, 'host.key');
 
-    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) { // user's custom fallback certs (when restoring, updating)
+    if (fs.existsSync(certFilePath) && fs.existsSync(keyFilePath)) { // existing custom fallback certs (when restarting, restoring, updating)
         debug('ensureFallbackCertificate: using fallback certs provided by user');
         if (!safe.child_process.execSync('cp ' + certFilePath + ' ' + fallbackCertPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
         if (!safe.child_process.execSync('cp ' + keyFilePath + ' ' + fallbackKeyPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
@@ -107,7 +107,8 @@ function ensureFallbackCertificate(callback) {
         return callback();
     }
 
-    if (config.tlsCert() && config.tlsKey()) { // cert from CaaS or cloudron-setup
+    if (config.tlsCert() && config.tlsKey()) {
+        // cert from CaaS or cloudron-setup. these files should _not_ be part of the backup
         debug('ensureFallbackCertificate: using CaaS/cloudron-setup fallback certs');
         if (!safe.fs.writeFileSync(fallbackCertPath, config.tlsCert())) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
         if (!safe.fs.writeFileSync(fallbackKeyPath, config.tlsKey())) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
@@ -115,11 +116,16 @@ function ensureFallbackCertificate(callback) {
         return callback();
     }
 
-    // generate a self-signed cert (FIXME: this cert does not cover the naked domain. needs SAN)
+    // generate a self-signed cert. it's in backup dir so that we don't create a new cert across restarts
+    // FIXME: this cert does not cover the naked domain. needs SAN
     if (config.fqdn()) {
         debug('ensureFallbackCertificate: generating self-signed certificate');
-        var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=*.%s -nodes', fallbackKeyPath, fallbackCertPath, config.fqdn());
+        var certCommand = util.format('openssl req -x509 -newkey rsa:2048 -keyout %s -out %s -days 3650 -subj /CN=*.%s -nodes', keyFilePath, certFilePath, config.fqdn());
         safe.child_process.execSync(certCommand);
+
+        if (!safe.child_process.execSync('cp ' + certFilePath + ' ' + fallbackCertPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
+        if (!safe.child_process.execSync('cp ' + keyFilePath + ' ' + fallbackKeyPath)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
+
         return callback();
     } else {
         debug('ensureFallbackCertificate: cannot generate fallback certificate without domain');