diff --git a/cmd/containerboot/main.go b/cmd/containerboot/main.go
index 76c6e910a9dbc..2ffa5df559c65 100644
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -476,6 +476,7 @@ authLoop:
 		currentIPs             deephash.Sum // tailscale IPs assigned to device
 		currentDeviceID        deephash.Sum // device ID
 		currentDeviceEndpoints deephash.Sum // device FQDN and IPs
+		currentCertDomains     []string
 
 		currentEgressIPs deephash.Sum
 
@@ -653,12 +654,15 @@ runLoop:
 					backendAddrs = newBackendAddrs
 				}
 				if cfg.ServeConfigPath != "" {
+					newCertDomains := append([]string(nil), n.NetMap.DNS.CertDomains...)
+					certDomainsHaveChanged := !slices.Equal(currentCertDomains, newCertDomains)
+					currentCertDomains = newCertDomains
 					cd := certDomainFromNetmap(n.NetMap)
 					if cd == "" {
 						cd = kubetypes.ValueNoHTTPS
 					}
 					prev := certDomain.Swap(new(cd))
-					if prev == nil || *prev != cd {
+					if prev == nil || *prev != cd || certDomainsHaveChanged {
 						select {
 						case certDomainChanged <- true:
 						default:
diff --git a/cmd/containerboot/serve.go b/cmd/containerboot/serve.go
index f64d2d24f681f..a2334a0678853 100644
--- a/cmd/containerboot/serve.go
+++ b/cmd/containerboot/serve.go
@@ -91,18 +91,18 @@ func watchServeConfigChanges(ctx context.Context, cdChanged <-chan bool, certDom
 				log.Printf("serve proxy: no serve config at %q, skipping", cfg.ServeConfigPath)
 				continue
 			}
-			if prevServeConfig != nil && reflect.DeepEqual(sc, prevServeConfig) {
-				continue
-			}
-			if err := updateServeConfig(ctx, sc, certDomain, klc.New(lc)); err != nil {
-				log.Fatalf("serve proxy: error updating serve config: %v", err)
-			}
-			if kc != nil && kc.canPatch {
-				if err := kc.storeHTTPSEndpoint(ctx, certDomain); err != nil {
-					log.Fatalf("serve proxy: error storing HTTPS endpoint: %v", err)
+			configChanged := prevServeConfig == nil || !reflect.DeepEqual(sc, prevServeConfig)
+			if configChanged {
+				if err := updateServeConfig(ctx, sc, certDomain, klc.New(lc)); err != nil {
+					log.Fatalf("serve proxy: error updating serve config: %v", err)
+				}
+				if kc != nil && kc.canPatch {
+					if err := kc.storeHTTPSEndpoint(ctx, certDomain); err != nil {
+						log.Fatalf("serve proxy: error storing HTTPS endpoint: %v", err)
+					}
 				}
+				prevServeConfig = sc
 			}
-			prevServeConfig = sc
 			if cfg.CertShareMode != "rw" {
 				continue
 			}