diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade.go b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
index 8791a7242d8..3f8c267e2b9 100644
--- a/cmd/kubeadm/app/phases/upgrade/postupgrade.go
+++ b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
@@ -68,8 +68,9 @@ func PerformPostUpgradeTasks(client clientset.Interface, cfg *kubeadmapi.MasterC
 		errs = append(errs, err)
 	}
 
+	shouldBackup, err := shouldBackupAPIServerCertAndKey(newK8sVer)
 	// Don't fail the upgrade phase if failing to determine to backup kube-apiserver cert and key.
-	if shouldBackup, err := shouldBackupAPIServerCertAndKey(newK8sVer); err != nil {
+	if err != nil {
 		fmt.Printf("[postupgrade] WARNING: failed to determine to backup kube-apiserver cert and key: %v", err)
 	} else if shouldBackup {
 		// Don't fail the upgrade phase if failing to backup kube-apiserver cert and key.
diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade_v18_19.go b/cmd/kubeadm/app/phases/upgrade/postupgrade_v18_19.go
index ccedb491cec..e8d9b30cde0 100644
--- a/cmd/kubeadm/app/phases/upgrade/postupgrade_v18_19.go
+++ b/cmd/kubeadm/app/phases/upgrade/postupgrade_v18_19.go
@@ -64,29 +64,35 @@ func rollbackFiles(files map[string]string, originalErr error) error {
 			errs = append(errs, err)
 		}
 	}
-	return fmt.Errorf("couldn't roll back kube-apiserver cert and key! Got errors: %v", errors.NewAggregate(errs))
+	return fmt.Errorf("couldn't move these files: %v. Got errors: %v", files, errors.NewAggregate(errs))
 }
 
 // shouldBackupAPIServerCertAndKey check if the new k8s version is at least 1.9.0
 // and kube-apiserver will be expired in 60 days.
 func shouldBackupAPIServerCertAndKey(newK8sVer *version.Version) (bool, error) {
-	if !newK8sVer.AtLeast(v190) {
+	if !newK8sVer.LessThan(v190) {
 		return false, nil
-
 	}
 
-	data, err := ioutil.ReadFile(filepath.Join(kubeadmapiext.DefaultCertificatesDir, constants.APIServerCertName))
+	apiServerCert := filepath.Join(kubeadmapiext.DefaultCertificatesDir, constants.APIServerCertName)
+	data, err := ioutil.ReadFile(apiServerCert)
 	if err != nil {
 		return false, fmt.Errorf("failed to read kube-apiserver certificate from disk: %v", err)
 	}
+
 	block, _ := pem.Decode(data)
 	if block == nil {
 		return false, fmt.Errorf("expected the kube-apiserver certificate to be PEM encoded")
 	}
+
 	certs, err := x509.ParseCertificates(block.Bytes)
 	if err != nil {
 		return false, fmt.Errorf("unable to parse certificate data: %v", err)
 	}
+	if len(certs) == 0 {
+		return false, fmt.Errorf("no certificate data found")
+	}
+
 	if certs[0].NotAfter.Sub(time.Now()) < 60*24*time.Hour {
 		return true, nil
 	}