diff --git a/puppet/zulip/manifests/profile/app_frontend.pp b/puppet/zulip/manifests/profile/app_frontend.pp
index 0b25d39675..abb1ba4dfb 100644
--- a/puppet/zulip/manifests/profile/app_frontend.pp
+++ b/puppet/zulip/manifests/profile/app_frontend.pp
@@ -60,6 +60,10 @@ class zulip::profile::app_frontend {
     source  => 'puppet:///modules/zulip/letsencrypt/nginx-deploy-hook.sh',
     require => Package[certbot],
   }
+  exec { 'fix-standalone-certbot':
+    onlyif  => 'test -d /etc/letsencrypt/renewal && grep -qx "authenticator = standalone" /etc/letsencrypt/renewal/*.conf',
+    command => "${::zulip_scripts_path}/lib/fix-standalone-certbot",
+  }
 
   # Restart the server regularly to avoid potential memory leak problems.
   file { '/etc/cron.d/restart-zulip':
diff --git a/scripts/lib/fix-standalone-certbot b/scripts/lib/fix-standalone-certbot
new file mode 100755
index 0000000000..ed7faaefc8
--- /dev/null
+++ b/scripts/lib/fix-standalone-certbot
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -eu
+set -o pipefail
+
+hostnames=$(grep -l 'authenticator = standalone' /etc/letsencrypt/renewal/*.conf | sed 's/.*\///; s/\.conf$//')
+
+for hostname in $hostnames; do
+    # Force a cert renewal to force the config file to update
+    /usr/bin/certbot certonly --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ --force-renewal -d "$hostname"
+done
+
+# Pick up any updated certs
+service nginx reload