diff --git a/lib/charms/mongodb/v0/mongodb_tls.py b/lib/charms/mongodb/v0/mongodb_tls.py
index f87d2d9c2..f55fc9bcc 100644
--- a/lib/charms/mongodb/v0/mongodb_tls.py
+++ b/lib/charms/mongodb/v0/mongodb_tls.py
@@ -13,6 +13,7 @@
 import socket
 from typing import List, Optional, Tuple
 
+from charms.mongodb.v0.mongodb import MongoDBConnection
 from charms.tls_certificates_interface.v1.tls_certificates import (
     CertificateAvailableEvent,
     CertificateExpiringEvent,
@@ -22,7 +23,7 @@
 )
 from ops.charm import ActionEvent, RelationBrokenEvent, RelationJoinedEvent
 from ops.framework import Object
-from ops.model import ActiveStatus, MaintenanceStatus, Unit
+from ops.model import ActiveStatus, MaintenanceStatus, Unit, WaitingStatus
 
 from config import Config
 
@@ -39,7 +40,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 6
+LIBPATCH = 7
 
 logger = logging.getLogger(__name__)
 
@@ -195,7 +196,12 @@ def _on_certificate_available(self, event: CertificateAvailableEvent) -> None:
         self.charm.push_tls_certificate_to_workload()
         self.charm.unit.status = MaintenanceStatus("enabling TLS")
         self.charm.restart_mongod_service()
-        self.charm.unit.status = ActiveStatus()
+
+        with MongoDBConnection(self.charm.mongodb_config) as mongo:
+            if not mongo.is_ready:
+                self.charm.unit.status = WaitingStatus("Waiting for MongoDB to start")
+            else:
+                self.charm.unit.status = ActiveStatus()
 
     def _waiting_for_certs(self):
         """Returns a boolean indicating whether additional certs are needed."""
diff --git a/lib/charms/mongodb/v1/helpers.py b/lib/charms/mongodb/v1/helpers.py
index 967c397ce..e1fede145 100644
--- a/lib/charms/mongodb/v1/helpers.py
+++ b/lib/charms/mongodb/v1/helpers.py
@@ -29,7 +29,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 2
+LIBPATCH = 3
 
 # path to store mongodb ketFile
 KEY_FILE = "keyFile"
@@ -174,7 +174,7 @@ def get_mongod_args(
                 f"--tlsCAFile={full_conf_dir}/{TLS_EXT_CA_FILE}",
                 f"--tlsCertificateKeyFile={full_conf_dir}/{TLS_EXT_PEM_FILE}",
                 # allow non-TLS connections
-                "--tlsMode=requireTLS",
+                "--tlsMode=preferTLS",
                 "--tlsDisabledProtocols=TLS1_0,TLS1_1",
             ]
         )
@@ -184,6 +184,7 @@ def get_mongod_args(
         cmd.extend(
             [
                 "--clusterAuthMode=x509",
+                "--tlsAllowInvalidCertificates",
                 f"--tlsClusterCAFile={full_conf_dir}/{TLS_INT_CA_FILE}",
                 f"--tlsClusterFile={full_conf_dir}/{TLS_INT_PEM_FILE}",
             ]