diff --git a/pkg/config/tlscfg/options.go b/pkg/config/tlscfg/options.go
index f4fa2237717..af4267f9e53 100644
--- a/pkg/config/tlscfg/options.go
+++ b/pkg/config/tlscfg/options.go
@@ -41,13 +41,8 @@ var systemCertPool = x509.SystemCertPool // to allow overriding in unit test
 
 // Config loads TLS certificates and returns a TLS Config.
 func (p Options) Config(logger *zap.Logger) (*tls.Config, error) {
-	w, err := newWatchCerts(p, logger)
-	if err != nil {
-		return nil, err
-	}
-	p.watcher = w
 
-	certPool, err := p.loadCertPool(logger)
+	certPool, err := p.loadCertPool()
 	if err != nil {
 		return nil, fmt.Errorf("failed to load CA CertPool: %w", err)
 	}
@@ -57,6 +52,20 @@ func (p Options) Config(logger *zap.Logger) (*tls.Config, error) {
 		ServerName:         p.ServerName,
 		InsecureSkipVerify: p.SkipHostVerify,
 	}
+	if p.ClientCAPath != "" {
+		certPool := x509.NewCertPool()
+		if err := addCertToPool(p.ClientCAPath, certPool); err != nil {
+			return nil, err
+		}
+		tlsCfg.ClientCAs = certPool
+		tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
+	w, err := newWatchCerts(p, logger)
+	if err != nil {
+		return nil, err
+	}
+	p.watcher = w
 
 	if (p.CertPath == "" && p.KeyPath != "") || (p.CertPath != "" && p.KeyPath == "") {
 		return nil, fmt.Errorf("for client auth via TLS, either both client certificate and key must be supplied, or neither")
@@ -71,19 +80,11 @@ func (p Options) Config(logger *zap.Logger) (*tls.Config, error) {
 		}
 	}
 
-	if p.ClientCAPath != "" {
-		certPool := x509.NewCertPool()
-		if err := addCertToPool(p.ClientCAPath, certPool); err != nil {
-			return nil, err
-		}
-		tlsCfg.ClientCAs = certPool
-		tlsCfg.ClientAuth = tls.RequireAndVerifyClientCert
-	}
 	go p.watcher.watchChangesLoop(tlsCfg.RootCAs, tlsCfg.ClientCAs)
 	return tlsCfg, nil
 }
 
-func (p Options) loadCertPool(logger *zap.Logger) (*x509.CertPool, error) {
+func (p Options) loadCertPool() (*x509.CertPool, error) {
 	if len(p.CAPath) == 0 { // no truststore given, use SystemCertPool
 		certPool, err := systemCertPool()
 		if err != nil {
@@ -102,6 +103,7 @@ func (p Options) loadCertPool(logger *zap.Logger) (*x509.CertPool, error) {
 func addCertToPool(caPath string, certPool *x509.CertPool) error {
 	caPEM, err := ioutil.ReadFile(filepath.Clean(caPath))
 	if err != nil {
+		fmt.Println("AAAA here")
 		return fmt.Errorf("failed to load CA %s: %w", caPath, err)
 	}
 
diff --git a/pkg/config/tlscfg/reload.go b/pkg/config/tlscfg/reload.go
index 06ab12c8b64..9f4143a3f12 100644
--- a/pkg/config/tlscfg/reload.go
+++ b/pkg/config/tlscfg/reload.go
@@ -17,6 +17,7 @@ package tlscfg
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"fmt"
 	"io"
 	"path/filepath"
 	"sync"
@@ -41,7 +42,7 @@ func newWatchCerts(opts Options, logger *zap.Logger) (*watchCerts, error) {
 		// load certs at startup to catch missing certs error early
 		c, err := tls.LoadX509KeyPair(filepath.Clean(opts.CertPath), filepath.Clean(opts.KeyPath))
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to load server TLS cert and key: %w", err)
 		}
 		cert = c
 	}