diff --git a/octavia/api/drivers/utils.py b/octavia/api/drivers/utils.py
index ea1a2e6d84..b7305fed54 100644
--- a/octavia/api/drivers/utils.py
+++ b/octavia/api/drivers/utils.py
@@ -272,11 +272,13 @@ def listener_dict_to_provider_dict(listener_dict, for_delete=False):
 
         if listener_obj.client_ca_tls_certificate_id:
             cert = _get_secret_data(cert_manager, listener_obj.project_id,
-                                    listener_obj.client_ca_tls_certificate_id)
+                                    listener_obj.client_ca_tls_certificate_id,
+                                    for_delete=for_delete)
             new_listener_dict['client_ca_tls_container_data'] = cert
         if listener_obj.client_crl_container_id:
             crl_file = _get_secret_data(cert_manager, listener_obj.project_id,
-                                        listener_obj.client_crl_container_id)
+                                        listener_obj.client_crl_container_id,
+                                        for_delete=for_delete)
             new_listener_dict['client_crl_container_data'] = crl_file
 
     # Format the allowed_cidrs
@@ -394,12 +396,14 @@ def pool_dict_to_provider_dict(pool_dict, for_delete=False):
 
         if pool_obj.ca_tls_certificate_id:
             cert = _get_secret_data(cert_manager, pool_obj.project_id,
-                                    pool_obj.ca_tls_certificate_id)
+                                    pool_obj.ca_tls_certificate_id,
+                                    for_delete=for_delete)
             new_pool_dict['ca_tls_container_data'] = cert
 
         if pool_obj.crl_container_id:
             crl_file = _get_secret_data(cert_manager, pool_obj.project_id,
-                                        pool_obj.crl_container_id)
+                                        pool_obj.crl_container_id,
+                                        for_delete=for_delete)
             new_pool_dict['crl_container_data'] = crl_file
 
     # Remove the DB back references
diff --git a/octavia/tests/unit/api/drivers/test_utils.py b/octavia/tests/unit/api/drivers/test_utils.py
index 4d41d29e68..6205227aaa 100644
--- a/octavia/tests/unit/api/drivers/test_utils.py
+++ b/octavia/tests/unit/api/drivers/test_utils.py
@@ -274,6 +274,8 @@ class TestUtils(base.TestCase):
         del expect_prov['sni_container_data']
         provider_listener = utils.listener_dict_to_provider_dict(
             self.sample_data.test_listener1_dict, for_delete=True)
+        args, kwargs = mock_secret.call_args
+        self.assertEqual(kwargs['for_delete'], True)
         self.assertEqual(expect_prov, provider_listener)
 
     @mock.patch('octavia.api.drivers.utils._get_secret_data')
@@ -379,6 +381,8 @@ class TestUtils(base.TestCase):
         provider_pool_dict = utils.pool_dict_to_provider_dict(
             self.sample_data.test_pool1_dict, for_delete=True)
         provider_pool_dict.pop('crl_container_ref')
+        args, kwargs = mock_secret.call_args
+        self.assertEqual(kwargs['for_delete'], True)
         self.assertEqual(expect_prov, provider_pool_dict)
 
     def test_db_HM_to_provider_HM(self):
diff --git a/releasenotes/notes/fix-update-listener-ca-error-167464debc06cba2.yaml b/releasenotes/notes/fix-update-listener-ca-error-167464debc06cba2.yaml
new file mode 100644
index 0000000000..25c0e32cee
--- /dev/null
+++ b/releasenotes/notes/fix-update-listener-ca-error-167464debc06cba2.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixed "Could not retrieve certificate" error when updating/deleting the
+    client_ca_tls_container_ref field of a listener after a CA/CRL was deleted.