diff --git a/lib/tbot/renew.go b/lib/tbot/renew.go
index e3eb2792a9cfc..2fe6ff35c8e02 100644
--- a/lib/tbot/renew.go
+++ b/lib/tbot/renew.go
@@ -305,6 +305,8 @@ func (b *Bot) generateImpersonatedIdentity(
 			return nil, trace.Wrap(err)
 		}
 
+		defer impClient.Close()
+
 		route, err := b.getRouteToDatabase(ctx, impClient, destCfg.Database)
 		if err != nil {
 			return nil, trace.Wrap(err)
@@ -463,9 +465,9 @@ func (b *Bot) renew(
 		return trace.Wrap(err, "unable to communicate with auth server")
 	}
 
-	b.log.Debug("Auth client now using renewed credentials.")
 	b.setClient(newClient)
 	b.setIdent(newIdentity)
+	b.log.Debug("Auth client now using renewed credentials.")
 
 	// Now that we're sure the new creds work, persist them.
 	if err := identity.SaveIdentity(newIdentity, botDestination, identity.BotKinds()...); err != nil {
diff --git a/lib/tbot/tbot.go b/lib/tbot/tbot.go
index 08d61b6eacc14..4a2ed15b1abec 100644
--- a/lib/tbot/tbot.go
+++ b/lib/tbot/tbot.go
@@ -68,6 +68,11 @@ func (b *Bot) setClient(client auth.ClientI) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
+	// Make sure the previous client is closed.
+	if b._client != nil {
+		_ = b._client.Close()
+	}
+
 	b._client = client
 }