diff --git a/cluster/certificates.go b/cluster/certificates.go
index cd458489..7b96aad3 100644
--- a/cluster/certificates.go
+++ b/cluster/certificates.go
@@ -184,6 +184,12 @@ func RotateRKECertificates(ctx context.Context, c *Cluster, flags ExternalFlags,
 		if c.Certificates[pki.ServiceAccountTokenKeyName].Key != nil {
 			serviceAccountTokenKey = string(cert.EncodePrivateKeyPEM(c.Certificates[pki.ServiceAccountTokenKeyName].Key))
 		}
+		// check for legacy clusters prior to requestheaderca
+		if c.Certificates[pki.RequestHeaderCACertName].Certificate == nil {
+			if err := pki.GenerateRKERequestHeaderCACert(ctx, c.Certificates, flags.ClusterFilePath, flags.ConfigDir); err != nil {
+				return err
+			}
+		}
 		if err := pki.GenerateRKEServicesCerts(ctx, c.Certificates, c.RancherKubernetesEngineConfig, flags.ClusterFilePath, flags.ConfigDir, true); err != nil {
 			return err
 		}
diff --git a/cmd/common.go b/cmd/common.go
index 962d9cff..820490aa 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -201,7 +201,7 @@ func fetchAndUpdateStateFromLegacyCluster(ctx context.Context, kubeCluster *clus
 		// try to fetch certs from nodes
 		recoveredCerts, err = cluster.GetClusterCertsFromNodes(ctx, kubeCluster)
 		if err != nil {
-			return err
+			return fmt.Errorf("Failed to fetch cluster certs from nodes, aborting upgrade: %v", err)
 		}
 	}
 	fullState.CurrentState.RancherKubernetesEngineConfig = kubeCluster.RancherKubernetesEngineConfig.DeepCopy()
diff --git a/pki/deploy.go b/pki/deploy.go
index b7889078..d550e4d2 100644
--- a/pki/deploy.go
+++ b/pki/deploy.go
@@ -198,25 +198,37 @@ func FetchCertificatesFromHost(ctx context.Context, extraHosts []*hosts.Host, ho
 	for certName, config := range crtList {
 		certificate := CertificatePKI{}
 		crt, err := FetchFileFromHost(ctx, GetCertTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificates")
-		// I will only exit with an error if it's not a not-found-error and this is not an etcd certificate
-		if err != nil && !strings.HasPrefix(certName, "kube-etcd") {
+		// Return error if the certificate file is not found but only if its not etcd or request header certificate
+		if err != nil && !strings.HasPrefix(certName, "kube-etcd") &&
+			certName != RequestHeaderCACertName &&
+			certName != APIProxyClientCertName {
 			// IsErrNotFound doesn't catch this because it's a custom error
 			if isFileNotFoundErr(err) {
-				return nil, nil
+				return nil, fmt.Errorf("Certificate %s is not found", GetCertTempPath(certName))
 			}
 			return nil, err
 
 		}
-		// If I can't find an etcd I will not fail and will create it later.
-		if crt == "" && strings.HasPrefix(certName, "kube-etcd") {
+		// If I can't find an etcd or request header ca I will not fail and will create it later.
+		if crt == "" && (strings.HasPrefix(certName, "kube-etcd") ||
+			certName == RequestHeaderCACertName ||
+			certName == APIProxyClientCertName) {
 			tmpCerts[certName] = CertificatePKI{}
 			continue
 		}
 		key, err := FetchFileFromHost(ctx, GetKeyTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificate")
-
+		if err != nil {
+			if isFileNotFoundErr(err) {
+				return nil, fmt.Errorf("Key %s is not found", GetKeyTempPath(certName))
+			}
+			return nil, err
+		}
 		if config {
 			config, err := FetchFileFromHost(ctx, GetConfigTempPath(certName), image, host, prsMap, CertFetcherContainer, "certificate")
 			if err != nil {
+				if isFileNotFoundErr(err) {
+					return nil, fmt.Errorf("Config %s is not found", GetConfigTempPath(certName))
+				}
 				return nil, err
 			}
 			certificate.Config = config