diff --git a/src/domains.js b/src/domains.js
index 0e398faa4..28a768f00 100644
--- a/src/domains.js
+++ b/src/domains.js
@@ -243,6 +243,7 @@ async function setConfig(domain, data, auditSource) {
     if (result.affectedRows === 0) throw new BoxError(BoxError.NOT_FOUND, 'Domain not found');
 
     if (fallbackCertificate) await reverseProxy.setFallbackCertificate(domain, fallbackCertificate);
+    if (domainObject.tlsConfig.provider !== tlsConfig.provider) await reverseProxy.handleCertificateProviderChanged();
 
     await eventlog.add(eventlog.ACTION_DOMAIN_UPDATE, auditSource, { domain, zoneName, provider });
 }
diff --git a/src/paths.js b/src/paths.js
index 29bfda241..65de71b27 100644
--- a/src/paths.js
+++ b/src/paths.js
@@ -51,6 +51,7 @@ exports = module.exports = {
     SFTP_PRIVATE_KEY_FILE: path.join(baseDir(), 'platformdata/sftp/ssh/ssh_host_rsa_key'),
     FIREWALL_BLOCKLIST_FILE: path.join(baseDir(), 'platformdata/firewall/blocklist.txt'),
     LDAP_ALLOWLIST_FILE: path.join(baseDir(), 'platformdata/firewall/ldap_allowlist.txt'),
+    REVERSE_PROXY_REBUILD_FILE: path.join(baseDir(), 'platformdata/nginx/rebuild-needed'),
 
     BOX_DATA_DIR: path.join(baseDir(), 'boxdata/box'),
     MAIL_DATA_DIR: path.join(baseDir(), 'boxdata/mail'),
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 3daa89a57..a963f9ef3 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -11,6 +11,8 @@ exports = module.exports = {
     getCertificatePath, // resolved cert path
     ensureCertificate,
 
+    handleCertificateProviderChanged,
+
     checkCerts,
 
     // the 'configure' functions ensure a certificate and generate nginx config
@@ -406,7 +408,7 @@ async function renewCert(fqdn, domainObject) {
 
     if (domainObject.domain === settings.dashboardDomain() && getAcmeCertificatePathSync(settings.dashboardFqdn(), domainObject).certFilePath === acmePaths.certFilePath) {
         debug('renewCert: directory server certificate changed');
-        const [reloadError] = await safe(shell.promises.exec('renewCert', 'systemctl reload --no-block box'));
+        const [reloadError] = await safe(shell.promises.sudo('renewCert', [ RESTART_SERVICE_CMD, 'box' ], {}));
         if (reloadError) debug(`renewCert: error updating directory server on cert change: ${reloadError.message}`);
     }
 }
@@ -748,11 +750,33 @@ async function cleanupCerts(auditSource, progressCallback) {
     debug('cleanupCerts: done');
 }
 
+async function rebuildConfigs(auditSource, progressCallback) {
+    assert.strictEqual(typeof auditSource, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
+
+    debug('rebuildConfigs: rebuilding all configs');
+
+    progressCallback( { message: 'Rebuilding app configs' });
+    for (const app of await apps.list()) {
+        if (app.runState === apps.RSTATE_STOPPED) continue; // not in use
+        await writeAppConfigs(app);
+    }
+    await writeDashboardConfig(await domains.get(settings.dashboardDomain()));
+    await shell.promises.sudo('rebuildConfigs', [ RESTART_SERVICE_CMD, 'box' ], {});
+
+    progressCallback( { message: 'Rebuilding mail config' });
+    await mail.handleCertChanged();
+}
+
 async function checkCerts(auditSource, progressCallback) {
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof progressCallback, 'function');
 
     await renewCerts(auditSource, progressCallback);
+    if (fs.existsSync(paths.REVERSE_PROXY_REBUILD_FILE)) {
+        await rebuildConfigs(auditSource, progressCallback);
+        safe.fs.unlinkSync(paths.REVERSE_PROXY_REBUILD_FILE);
+    }
     await cleanupCerts(auditSource, progressCallback);
 }
 
@@ -806,3 +830,7 @@ async function writeDefaultConfig(options) {
 
     await reload();
 }
+
+async function handleCertificateProviderChanged() {
+    safe.fs.writeFileSync(paths.REVERSE_PROXY_REBUILD_FILE, 'cert provider changed\n', 'utf8');
+}
diff --git a/src/scripts/restartservice.sh b/src/scripts/restartservice.sh
index 0ebed32a4..a80958885 100755
--- a/src/scripts/restartservice.sh
+++ b/src/scripts/restartservice.sh
@@ -34,6 +34,8 @@ elif [[ "${service}" == "docker" ]]; then
     systemctl restart --no-block docker
 elif [[ "${service}" == "collectd" ]]; then
     systemctl restart --no-block collectd
+elif [[ "${service}" == "box" ]]; then
+    systemctl reload --no-block box
 else
     echo "Unknown service ${service}"
     exit 1