diff --git a/cloud-controller-manager/do/certificates_test.go b/cloud-controller-manager/do/certificates_test.go
index 245f57b7a..b70c4e5f1 100644
--- a/cloud-controller-manager/do/certificates_test.go
+++ b/cloud-controller-manager/do/certificates_test.go
@@ -134,8 +134,8 @@ func Test_LBaaSCertificateScenarios(t *testing.T) {
 				certService.store[cert.ID] = cert
 				return service
 			},
-			expectedServiceCertID: "lb-cert-id",
-			expectedLBCertID:      "lb-cert-id",
+			expectedServiceCertID: "service-cert-id",
+			expectedLBCertID:      "service-cert-id",
 		},
 		{
 			name: "[letsencrypt] LB cert ID exists and service cert ID does not",
diff --git a/cloud-controller-manager/do/loadbalancers.go b/cloud-controller-manager/do/loadbalancers.go
index 7298b3251..998519ec0 100644
--- a/cloud-controller-manager/do/loadbalancers.go
+++ b/cloud-controller-manager/do/loadbalancers.go
@@ -326,6 +326,21 @@ func getCertificateIDFromLB(lb *godo.LoadBalancer) string {
 // Load Balancer.
 func (l *loadBalancers) recordUpdatedLetsEncryptCert(ctx context.Context, service *v1.Service, lbCertID, serviceCertID string) error {
 	if lbCertID != "" && lbCertID != serviceCertID {
+		if serviceCertID != "" {
+			svcCert, _, err := l.resources.gclient.Certificates.Get(ctx, serviceCertID)
+			if err != nil {
+				respErr, ok := err.(*godo.ErrorResponse)
+				if !ok || respErr.Response.StatusCode != http.StatusNotFound {
+					return fmt.Errorf("failed to get DO certificate for service: %s", err)
+				}
+			}
+
+			// The given certificate on the service exists, pass through so the LB is updated
+			if svcCert != nil {
+				return nil
+			}
+		}
+
 		lbCert, _, err := l.resources.gclient.Certificates.Get(ctx, lbCertID)
 		if err != nil {
 			respErr, ok := err.(*godo.ErrorResponse)