diff --git a/CHANGES b/CHANGES
index f550ced13..58c45c9f0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1770,4 +1770,5 @@
 * Fix user listing regression in group edit dialog
 * Do not show error page for 503
 * Add mail list and mail box update events
+* Certs of stopped apps are not renewed
 
diff --git a/src/apptask.js b/src/apptask.js
index d393f7ccf..3ba9ef437 100644
--- a/src/apptask.js
+++ b/src/apptask.js
@@ -920,6 +920,10 @@ function start(app, args, progressCallback, callback) {
         progressCallback.bind(null, { percent: 20, message: 'Starting container' }),
         docker.startContainer.bind(null, app.id),
 
+        // stopped apps do not renew certs. currently, we don't do DNS to not overwrite existing user settings
+        progressCallback.bind(null, { percent: 60, message: 'Configuring reverse proxy' }),
+        configureReverseProxy.bind(null, app),
+
         progressCallback.bind(null, { percent: 100, message: 'Done' }),
         updateApp.bind(null, app, { installationState: apps.ISTATE_INSTALLED, error: null, health: null })
     ], function seriesDone(error) {
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index b37c93e1c..35d61dfd1 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -582,6 +582,8 @@ function renewCerts(options, auditSource, progressCallback, callback) {
 
         // add app main
         allApps.forEach(function (app) {
+            if (app.runState === apps.RSTATE_STOPPED) return; // do not renew certs of stopped apps
+
             appDomains.push({ domain: app.domain, fqdn: app.fqdn, type: 'main', app: app, nginxConfigFilename: path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf') });
 
             app.alternateDomains.forEach(function (alternateDomain) {