diff --git a/acme/acme.go b/acme/acme.go
index c3498d074..9b41778e4 100644
--- a/acme/acme.go
+++ b/acme/acme.go
@@ -142,6 +142,22 @@ type DomainsCertificate struct {
 	tlsCert     *tls.Certificate
 }
 
+func (dc *DomainsCertificate) needRenew() bool {
+	for _, c := range dc.tlsCert.Certificate {
+		crt, err := x509.ParseCertificate(c)
+		if err != nil {
+			// If there's an error, we assume the cert is broken, and needs update
+			return true
+		}
+		// <= 7 days left, renew certificate
+		if crt.NotAfter.Before(time.Now().Add(time.Duration(24 * 7 * time.Hour))) {
+			return true
+		}
+	}
+
+	return false
+}
+
 // ACME allows to connect to lets encrypt and retrieve certs
 type ACME struct {
 	Email       string
@@ -289,8 +305,7 @@ func (a *ACME) retrieveCertificates(client *acme.Client, account *Account) {
 
 func (a *ACME) renewCertificates(client *acme.Client, account *Account) error {
 	for _, certificateResource := range account.DomainsCertificate.Certs {
-		// <= 7 days left, renew certificate
-		if certificateResource.tlsCert.Leaf.NotAfter.Before(time.Now().Add(time.Duration(24 * 7 * time.Hour))) {
+		if certificateResource.needRenew() {
 			log.Debugf("Renewing certificate %+v", certificateResource.Domains)
 			renewedCert, err := client.RenewCertificate(acme.CertificateResource{
 				Domain:        certificateResource.Certificate.Domain,