diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go
index 4282e8ce9..f1282cf81 100644
--- a/agent/connect/ca/provider_vault.go
+++ b/agent/connect/ca/provider_vault.go
@@ -126,7 +126,7 @@ func (v *VaultProvider) renewToken(ctx context.Context, renewer *vaultapi.Renewe
 
 		case err := <-renewer.DoneCh():
 			if err != nil {
-				v.logger.Error(fmt.Sprintf("Error renewing token for Vault provider: %v", err))
+				v.logger.Error("Error renewing token for Vault provider", "error", err)
 			}
 
 			// Renewer routine has finished, so start it again.
diff --git a/agent/consul/leader_connect.go b/agent/consul/leader_connect.go
index 602018b57..d464d1409 100644
--- a/agent/consul/leader_connect.go
+++ b/agent/consul/leader_connect.go
@@ -567,21 +567,20 @@ func (s *Server) startConnectLeader() {
 
 // stopConnectLeader stops connect specific leader functions.
 func (s *Server) stopConnectLeader() {
-	s.caProviderReconfigurationLock.Lock()
-	defer s.caProviderReconfigurationLock.Unlock()
+	s.leaderRoutineManager.Stop(secondaryCARootWatchRoutineName)
+	s.leaderRoutineManager.Stop(intentionReplicationRoutineName)
+	s.leaderRoutineManager.Stop(caRootPruningRoutineName)
+	s.stopConnectLeaderEnterprise()
 
 	// If the provider implements NeedsStop, we call Stop to perform any shutdown actions.
+	s.caProviderReconfigurationLock.Lock()
+	defer s.caProviderReconfigurationLock.Unlock()
 	provider, _ := s.getCAProvider()
 	if provider != nil {
 		if needsStop, ok := provider.(ca.NeedsStop); ok {
 			needsStop.Stop()
 		}
 	}
-
-	s.leaderRoutineManager.Stop(secondaryCARootWatchRoutineName)
-	s.leaderRoutineManager.Stop(intentionReplicationRoutineName)
-	s.leaderRoutineManager.Stop(caRootPruningRoutineName)
-	s.stopConnectLeaderEnterprise()
 }
 
 func (s *Server) runCARootPruning(ctx context.Context) error {