diff --git a/src/src/tls.c b/src/src/tls.c
index d5d11bcea..e6b1bf7a7 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -158,73 +158,73 @@ return FALSE;
 # endif
 # ifdef EXIM_HAVE_KEVENT
 {
 uschar * s, * t;
 int fd1, fd2, i, j, cnt = 0;
 struct stat sb;
 #ifdef OpenBSD
 struct kevent k_dummy;
 struct timespec ts = {0};
 #endif
 
 errno = 0;
 if (Ustrcmp(filename, "system,cache") == 0) return TRUE;
 
 for (;;)
   {
   if (kev_used > KEV_SIZE-2) { s = US"out of kev space"; goto bad; }
   if (!(s = Ustrrchr(filename, '/'))) return FALSE;
   s = string_copyn(filename, s - filename);	/* mem released by tls_set_watch */
 
   /* The dir open will fail if there is a symlink on the path. Fine; it's too
   much effort to handle all possible cases; just refuse the preload. */
 
   if ((fd2 = open(CCS s, O_RDONLY | O_NOFOLLOW)) < 0) { s = US"open dir"; goto bad; }
 
   if ((lstat(CCS filename, &sb)) < 0) { s = US"lstat"; goto bad; }
   if (!S_ISLNK(sb.st_mode))
     {
     if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0)
       { s = US"open file"; goto bad; }
-    DEBUG(D_tls) debug_printf("watch file '%s'\n", filename);
-    EV_SET(&kev[++kev_used],
+    DEBUG(D_tls) debug_printf("watch file '%s':\t%d\n", filename, fd1);
+    EV_SET(&kev[kev_used++],
 	(uintptr_t)fd1,
 	EVFILT_VNODE,
 	EV_ADD | EV_ENABLE | EV_ONESHOT,
 	NOTE_DELETE | NOTE_WRITE | NOTE_EXTEND
 	| NOTE_ATTRIB | NOTE_RENAME | NOTE_REVOKE,
 	0,
 	NULL);
     cnt++;
     }
-  DEBUG(D_tls) debug_printf("watch dir  '%s'\n", s);
-  EV_SET(&kev[++kev_used],
+  DEBUG(D_tls) debug_printf("watch dir  '%s':\t%d\n", s, fd2);
+  EV_SET(&kev[kev_used++],
 	(uintptr_t)fd2,
 	EVFILT_VNODE,
 	EV_ADD | EV_ENABLE | EV_ONESHOT,
 	NOTE_DELETE | NOTE_WRITE | NOTE_EXTEND
 	| NOTE_ATTRIB | NOTE_RENAME | NOTE_REVOKE,
 	0,
 	NULL);
   cnt++;
 
   if (!(S_ISLNK(sb.st_mode))) break;
 
   t = store_get(1024, FALSE);
   Ustrncpy(t, s, 1022);
   j = Ustrlen(s);
   t[j++] = '/';
   if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; }
   filename = t;
   *(t += i+j) = '\0';
   store_release_above(t+1);
   }
 
 #ifdef OpenBSD
 if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, &k_dummy, 1, &ts) >= 0)
   return TRUE;
 #else
 if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, NULL, 0, NULL) >= 0)
   return TRUE;
 #endif
 s = US"kevent";
 
@@ -293,60 +293,61 @@ tls_watch_discard_event(int fd)
 #ifdef EXIM_HAVE_KEVENT
 struct kevent kev;
 struct timespec t = {0};
 (void) kevent(fd, NULL, 0, &kev, 1, &t);
 #endif
 }
 #endif	/*EXIM_HAVE_INOTIFY*/
 
 
 void
 tls_client_creds_reload(BOOL watch)
 {
 for(transport_instance * t = transports; t; t = t->next)
   if (Ustrcmp(t->driver_name, "smtp") == 0)
     {
     tls_client_creds_invalidate(t);
     tls_client_creds_init(t, watch);
     }
 }
 
 
 void
 tls_watch_invalidate(void)
 {
 if (tls_watch_fd < 0) return;
 
 #ifdef EXIM_HAVE_KEVENT
 /* Close the files we had open for kevent */
 for (int i = 0; i < kev_used; i++)
   {
+  DEBUG(D_tls) debug_printf("closing watch fd: %d\n", (int) kev[i].ident);
   (void) close((int) kev[i].ident);
   kev[i].ident = (uintptr_t)-1;
   }
 kev_used = 0;
 #endif
 
 close(tls_watch_fd);
 tls_watch_fd = -1;
 }
 
 
 static void
 tls_daemon_creds_reload(void)
 {
 unsigned lifetime;
 
 #ifdef EXIM_HAVE_KEVENT
 tls_watch_invalidate();
 #endif
 
 tls_server_creds_invalidate();
 tls_creds_expire = (lifetime = tls_server_creds_init())
   ? time(NULL) + lifetime : 0;
 
 tls_client_creds_reload(TRUE);
 }
 
 
 /* Utility predicates for use by the per-library code */
 static BOOL