diff --git a/src/dstack/_internal/proxy/gateway/services/nginx.py b/src/dstack/_internal/proxy/gateway/services/nginx.py
index 469c8f5cd..259acc05c 100644
--- a/src/dstack/_internal/proxy/gateway/services/nginx.py
+++ b/src/dstack/_internal/proxy/gateway/services/nginx.py
@@ -105,8 +105,11 @@ def write_conf(self, conf: str, conf_name: str) -> None:
                 sudo_rm(conf_path)
             raise
 
-    @staticmethod
-    def run_certbot(domain: str, acme: ACMESettings) -> None:
+    @classmethod
+    def run_certbot(cls, domain: str, acme: ACMESettings) -> None:
+        if cls.certificate_exists(domain):
+            return
+
         logger.info("Running certbot for %s", domain)
 
         cmd = ["sudo", "timeout", "--kill-after", str(CERTBOT_2ND_TIMEOUT), str(CERTBOT_TIMEOUT)]
@@ -134,6 +137,11 @@ def run_certbot(domain: str, acme: ACMESettings) -> None:
         if r.returncode != 0:
             raise ProxyError(f"Error obtaining {domain} TLS certificate:\n{r.stderr.decode()}")
 
+    @staticmethod
+    def certificate_exists(domain: str) -> bool:
+        cmd = ["sudo", "test", "-e", f"/etc/letsencrypt/live/{domain}/fullchain.pem"]
+        return subprocess.run(cmd, timeout=2).returncode == 0
+
     @staticmethod
     def get_config_name(domain: str) -> str:
         return f"443-{domain}.conf"