diff --git a/octavia/amphorae/backends/agent/api_server/loadbalancer.py b/octavia/amphorae/backends/agent/api_server/loadbalancer.py
index 57940115e9..ddfc159dff 100644
--- a/octavia/amphorae/backends/agent/api_server/loadbalancer.py
+++ b/octavia/amphorae/backends/agent/api_server/loadbalancer.py
@@ -387,7 +387,7 @@ class Loadbalancer(object):
 
         stream = Wrapped(flask.request.stream)
         file = self._cert_file_path(lb_id, filename)
-        flags = os.O_WRONLY | os.O_CREAT
+        flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
         # mode 00600
         mode = stat.S_IRUSR | stat.S_IWUSR
         with os.fdopen(os.open(file, flags, mode), 'wb') as crt_file:
diff --git a/releasenotes/notes/fix-listener-update-certs-failed-315c66f4806e76c8.yaml b/releasenotes/notes/fix-listener-update-certs-failed-315c66f4806e76c8.yaml
new file mode 100644
index 0000000000..e87ea73883
--- /dev/null
+++ b/releasenotes/notes/fix-listener-update-certs-failed-315c66f4806e76c8.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fix update listener certs failed. The fix ensures
+    that an existing certificate gets overwritten properly.