diff --git a/octavia/amphorae/backends/agent/api_server/certificate_update.py b/octavia/amphorae/backends/agent/api_server/certificate_update.py
index 520100a94a..79510a13d2 100644
--- a/octavia/amphorae/backends/agent/api_server/certificate_update.py
+++ b/octavia/amphorae/backends/agent/api_server/certificate_update.py
@@ -30,7 +30,7 @@ def upload_server_cert():
     flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
     # mode 00600
     mode = stat.S_IRUSR | stat.S_IWUSR
-    with os.fdopen(os.open(file_path, flags, mode), 'w') as crt_file:
+    with os.fdopen(os.open(file_path, flags, mode), 'wb') as crt_file:
         b = stream.read(BUFFER)
         while b:
             crt_file.write(b)
diff --git a/releasenotes/notes/amp-agent-py3-cert-upload-binary-74e0ab35c5a85c68.yaml b/releasenotes/notes/amp-agent-py3-cert-upload-binary-74e0ab35c5a85c68.yaml
new file mode 100644
index 0000000000..cadc3311ba
--- /dev/null
+++ b/releasenotes/notes/amp-agent-py3-cert-upload-binary-74e0ab35c5a85c68.yaml
@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    Any amphorae running a py3 based image must be recycled or else they will
+    eventually fail on certificate rotation.
+fixes:
+  - |
+    Resolved broken certificate upload on py3 based amphora images. On a
+    housekeeping certificate rotation event, the amphora would clear out its
+    server certificate and return a 500, putting the amphora in ERROR status
+    and breaking further communication. See upgrade notes.