diff --git a/messages/en-US.json b/messages/en-US.json
index 378725468..e85eff9e7 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -2908,7 +2908,7 @@
     "maintenancePageTimeTitle": "Estimated Completion Time (Optional)",
     "privateMaintenanceScreenTitle": "Private Placeholder Screen",
     "privateMaintenanceScreenMessage": "This domain is being used on a private resource. Please connect using the Pangolin client to access this resource.",
-    "privateMaintenanceScreenSteps": "Once connected, if you are still seeing this message your browser's DNS cache may still point to the old address. To fix this: fully close and reopen your browser, then navigate back to this page.",
+    "privateMaintenanceScreenSteps": "Once connected, if you are still seeing this message your browser's DNS cache may still point to the old address. To fix this: fully close and reopen this tab, or your browser, then navigate back to this page.",
     "maintenanceTime": "e.g., 2 hours, Nov 1 at 5:00 PM",
     "maintenanceEstimatedTimeDescription": "When you expect maintenance to be completed",
     "editDomain": "Edit Domain",
diff --git a/server/private/lib/acmeCertSync.ts b/server/private/lib/acmeCertSync.ts
index 62a18b805..014a5959b 100644
--- a/server/private/lib/acmeCertSync.ts
+++ b/server/private/lib/acmeCertSync.ts
@@ -279,7 +279,11 @@ async function syncAcmeCerts(
     }
 
     for (const cert of resolverData.Certificates) {
-        const domain = cert.domain?.main;
+        const rawDomain = cert.domain?.main;
+        const domain = rawDomain.startsWith("*.")
+            ? rawDomain.slice(2)
+            : rawDomain;
+        const wildcard = rawDomain.startsWith("*.");
 
         if (!domain) {
             logger.debug(`acmeCertSync: skipping cert with missing domain`);
@@ -309,7 +313,12 @@ async function syncAcmeCerts(
         const existing = await db
             .select()
             .from(certificates)
-            .where(eq(certificates.domain, domain))
+            .where(
+                and(
+                    eq(certificates.domain, domain),
+                    eq(certificates.wildcard, wildcard)
+                )
+            )
             .limit(1);
 
         let oldCertPem: string | null = null;
@@ -364,7 +373,6 @@ async function syncAcmeCerts(
             }
         }
 
-        const wildcard = domain.startsWith("*.");
         const encryptedCert = encrypt(
             certPem,
             config.getRawConfig().server.secret!