diff --git a/.changelog/15005.txt b/.changelog/15005.txt
new file mode 100644
index 000000000..f5a1b97ec
--- /dev/null
+++ b/.changelog/15005.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ca: fix a masked bug in leaf cert generation that would not be notified of root cert rotation after the first one
+```
diff --git a/agent/cache-types/connect_ca_leaf.go b/agent/cache-types/connect_ca_leaf.go
index b93882c23..0e326e054 100644
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@@ -165,6 +165,7 @@ func (c *ConnectCALeaf) fetchDone(rootUpdateCh chan struct{}) {
 	if len(c.rootWatchSubscribers) == 0 && c.rootWatchCancel != nil {
 		// This was the last request. Stop the root watcher.
 		c.rootWatchCancel()
+		c.rootWatchCancel = nil
 	}
 }