diff --git a/tasks/provider-letsencrypt.yml b/tasks/provider-letsencrypt.yml
index 1b65d6d..1d8fbf1 100644
--- a/tasks/provider-letsencrypt.yml
+++ b/tasks/provider-letsencrypt.yml
@@ -16,12 +16,6 @@
   changed_when: _certificate_checkend.rc == 1
   failed_when: _certificate_checkend.rc > 1
 
-- name: delete certificate when certificate is about to expire
-  file:
-    path: "{{ certificate_file }}"
-    state: absent
-  when: _certificate_checkend.rc == 1
-
 - name: letsencrypt request
   letsencrypt:
     account_key: "{{certificate_letsencrypt_account_key_file}}"
@@ -31,6 +25,7 @@
     acme_directory: https://acme-v01.api.letsencrypt.org/directory
     agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
   register: _letsencrypt_request
+  when: _certificate_checkend.rc == 1
 
 # - debug:
 #     msg:
@@ -41,13 +36,11 @@
       file:
         path: /var/www/default/.well-known/acme-challenge
         state: directory
-
     - name: copy acme challenge resource
       copy:
         dest: /var/www/default/{{ item.resource }}
         content: "{{ item.resource_value }}"
       with_items: "{{ _letsencrypt_request | json_query('challenge_data.*.\"http-01\"') }}"
-
     - letsencrypt:
         account_key: "{{certificate_letsencrypt_account_key_file}}"
         csr: "{{certificate_signing_request_file}}"
@@ -57,12 +50,9 @@
         agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
         data: "{{ _letsencrypt_request }}"
       register: _letsencrypt
-
-    # - debug:
-    #     msg:
-    #       _letsencrypt: "{{_letsencrypt}}"
-
-  when: _letsencrypt_request.changed
+  when:
+    - _letsencrypt_request.changed
+    - _certificate_checkend.rc == 1
 
 - name: download letsencrypt certificate
   get_url:
diff --git a/tasks/provider-selfsigned.yml b/tasks/provider-selfsigned.yml
index 03bb1ec..76fa260 100644
--- a/tasks/provider-selfsigned.yml
+++ b/tasks/provider-selfsigned.yml
@@ -3,6 +3,12 @@
 - include_tasks: key.yml
 - include_tasks: csr.yml
 
+- name: check if the certificate will expire soon
+  command: openssl x509 -checkend {{ 60*60*24*30 }} -noout -in {{certificate_file}}
+  register: _certificate_checkend
+  changed_when: _certificate_checkend.rc == 1
+  failed_when: _certificate_checkend.rc > 1
+
 - name: self sign certificate
   command: openssl x509 -req
     -in "{{ certificate_signing_request_file }}"
@@ -16,6 +22,7 @@
   environment:
     PRIVATE_KEY_PASSWORD: "{{ certificate_private_key_password | default('') }}"
   notify: certificate changed
+  when: _certificate_checkend.rc == 1
 
 - name: link full certificate chain file
   file: