diff --git a/hooks/keystone_hooks.py b/hooks/keystone_hooks.py
index d2cd1770..4ab616c6 100755
--- a/hooks/keystone_hooks.py
+++ b/hooks/keystone_hooks.py
@@ -427,16 +427,18 @@ def cluster_changed():
 
     check_peer_actions()
 
+    if is_pki_enabled():
+        initialise_pki()
+
+    # Figure out if we need to mandate a sync
     units = get_ssl_sync_request_units()
     synced_units = relation_get(attribute='ssl-synced-units',
                                 unit=local_unit())
+    diff = None
     if synced_units:
         synced_units = json.loads(synced_units)
         diff = set(units).symmetric_difference(set(synced_units))
 
-    if is_pki_enabled():
-        initialise_pki()
-
     if units and (not synced_units or diff):
         log("New peers joined and need syncing - %s" %
             (', '.join(units)), level=DEBUG)
@@ -448,7 +450,8 @@ def cluster_changed():
         admin_relation_changed(rid)
 
     if not is_elected_leader(CLUSTER_RES) and is_ssl_cert_master():
-        # Sync and let go
+        # Force and sync and trigger a sync master re-election since we are not
+        # leader anymore.
         force_ssl_sync()
     else:
         CONFIGS.write_all()
diff --git a/hooks/keystone_utils.py b/hooks/keystone_utils.py
index da5590be..33dba69c 100644
--- a/hooks/keystone_utils.py
+++ b/hooks/keystone_utils.py
@@ -1170,9 +1170,9 @@ def force_ssl_sync():
     """Force SSL sync to all peers.
 
     This is useful if we need to relinquish ssl-cert-master status while
-    making sure that the new master has upt-o-date certs.
+    making sure that the new master has up-to-date certs.
     """
-    pass
+    return
 
 
 def ensure_ssl_dir():