diff --git a/cert/vault_source.go b/cert/vault_source.go
index e065018dd..c3cbd41f0 100644
--- a/cert/vault_source.go
+++ b/cert/vault_source.go
@@ -44,6 +44,8 @@ type VaultSource struct {
 		// This value is advisory and the Vault server may ignore or silently
 		// change it.
 		renewTTL int
+
+		once sync.Once
 	}
 }
 
@@ -69,19 +71,13 @@ func (s *VaultSource) client() (*api.Client, error) {
 
 func (s *VaultSource) setAuth(c *api.Client) error {
 	s.mu.Lock()
-
-	firstCall := true
-
 	defer func() {
 		c.SetToken(s.auth.token)
-		if firstCall {
-			s.checkRenewal(c)
-		}
+		s.auth.once.Do(func() { s.checkRenewal(c) })
 		s.mu.Unlock()
 	}()
 
 	if s.auth.token != "" {
-		firstCall = false
 		return nil
 	}