diff --git a/src/charm.py b/src/charm.py
index dad6fa05..9f42adae 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -278,6 +278,9 @@ def _update_received_ca_certs(self, event: Optional[CertificateTransferAvailable
         Calling this function from upgrade-charm might be too early though. Pebble-ready is
         preferred.
         """
+        if not self.container.can_connect():
+            return
+
         if event:
             self.container.push(
                 _RECV_CA_TEMPLATE.substitute(rel_id=event.relation_id), event.ca, make_dirs=True
diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
index b37ef3a4..db8ad4c4 100644
--- a/tests/unit/test_charm.py
+++ b/tests/unit/test_charm.py
@@ -410,6 +410,52 @@ def test_tcp_config(self):
         assert yaml.safe_load(static_config)["entryPoints"][prefix] == expected_entrypoint
 
 
+class TestTraefikCertTransferInterface(unittest.TestCase):
+    def setUp(self):
+        self.harness: Harness[TraefikIngressCharm] = Harness(TraefikIngressCharm)
+        self.harness.set_model_name("test-model")
+        self.addCleanup(self.harness.cleanup)
+        patcher = patch.object(TraefikIngressCharm, "version", property(lambda *_: "0.0.0"))
+        self.mock_version = patcher.start()
+        self.addCleanup(patcher.stop)
+        self.container_name = "traefik"
+
+    @patch("ops.model.Container.exec")
+    @patch("charm._get_loadbalancer_status", lambda **__: "10.0.0.1")
+    @patch("charm.KubernetesServicePatch", lambda *_, **__: None)
+    def test_given_container_can_connect_when_receive_ca_cert_relation_joins_then_ca_certs_are_updated(
+        self, patch_exec
+    ):
+        provider_app = "self-signed-certificates"
+        self.harness.set_leader(True)
+        self.harness.begin_with_initial_hooks()
+        self.harness.set_can_connect(container=self.container_name, val=True)
+        certificate_transfer_rel_id = self.harness.add_relation(
+            relation_name="receive-ca-cert", remote_app=provider_app
+        )
+        self.harness.add_relation_unit(
+            relation_id=certificate_transfer_rel_id, remote_unit_name=f"{provider_app}/0"
+        )
+        patch_exec.assert_called_once_with(["update-ca-certificates", "--fresh"])
+
+    @patch("ops.model.Container.exec")
+    @patch("charm._get_loadbalancer_status", lambda **__: "10.0.0.1")
+    @patch("charm.KubernetesServicePatch", lambda *_, **__: None)
+    def test_given_container_not_ready_when_receive_ca_cert_relation_joins_then_ca_certs_are_not_updated(
+        self, patch_exec
+    ):
+        provider_app = "self-signed-certificates"
+        self.harness.set_leader(True)
+        self.harness.set_can_connect(container=self.container_name, val=False)
+        certificate_transfer_rel_id = self.harness.add_relation(
+            relation_name="receive-ca-cert", remote_app=provider_app
+        )
+        self.harness.add_relation_unit(
+            relation_id=certificate_transfer_rel_id, remote_unit_name=f"{provider_app}/0"
+        )
+        patch_exec.assert_not_called()
+
+
 class TestConfigOptionsValidation(unittest.TestCase):
     @patch("charm._get_loadbalancer_status", lambda **_: "10.0.0.1")
     @patch("charm.KubernetesServicePatch", lambda *_, **__: None)