diff --git a/internal/workflow/engine/executor_end.go b/internal/workflow/engine/executor_end.go
index 6d674d3a..8f53e7cc 100644
--- a/internal/workflow/engine/executor_end.go
+++ b/internal/workflow/engine/executor_end.go
@@ -12,7 +12,7 @@ func (ne *endNodeExecutor) Execute(execCtx *NodeExecutionContext) (*NodeExecutio
 	execRes := newNodeExecutionResult(execCtx.Node)
 	execRes.Terminated = true
 
-	ne.logger.Info("the is ending")
+	ne.logger.Info("the workflow is ending")
 
 	return execRes, nil
 }
diff --git a/internal/workflow/engine/executor_start.go b/internal/workflow/engine/executor_start.go
index c4f93c1d..977594b8 100644
--- a/internal/workflow/engine/executor_start.go
+++ b/internal/workflow/engine/executor_start.go
@@ -11,7 +11,7 @@ type startNodeExecutor struct {
 func (ne *startNodeExecutor) Execute(execCtx *NodeExecutionContext) (*NodeExecutionResult, error) {
 	execRes := newNodeExecutionResult(execCtx.Node)
 
-	ne.logger.Info("")
+	ne.logger.Info("the workflow is starting")
 
 	return execRes, nil
 }
diff --git a/pkg/core/ssl-deployer/providers/tencentcloud-cos/tencentcloud_cos.go b/pkg/core/ssl-deployer/providers/tencentcloud-cos/tencentcloud_cos.go
index 19075388..d626e197 100644
--- a/pkg/core/ssl-deployer/providers/tencentcloud-cos/tencentcloud_cos.go
+++ b/pkg/core/ssl-deployer/providers/tencentcloud-cos/tencentcloud_cos.go
@@ -93,6 +93,12 @@ func (d *SSLDeployerProvider) Deploy(ctx context.Context, certPEM string, privke
 		d.logger.Info("ssl certificate uploaded", slog.Any("result", upres))
 	}
 
+	// 避免多次部署，否则会报错 https://github.com/certimate-go/certimate/issues/897#issuecomment-3182904098
+	if bind, _ := d.checkIsBind(ctx, upres.CertId); bind {
+		d.logger.Info("ssl certificate already deployed")
+		return &core.SSLDeployResult{}, nil
+	}
+
 	// 证书部署到 COS 实例
 	// REF: https://cloud.tencent.com/document/api/400/91667
 	deployCertificateInstanceReq := tcssl.NewDeployCertificateInstanceRequest()
@@ -158,6 +164,64 @@ func (d *SSLDeployerProvider) Deploy(ctx context.Context, certPEM string, privke
 	return &core.SSLDeployResult{}, nil
 }
 
+func (d *SSLDeployerProvider) checkIsBind(ctx context.Context, cloudCertId string) (bool, error) {
+	// 创建证书关联云资源异步任务
+	// REF: https://cloud.tencent.com/document/api/400/97759
+	createCertificateBindResourceSyncTaskReq := tcssl.NewCreateCertificateBindResourceSyncTaskRequest()
+	createCertificateBindResourceSyncTaskReq.CertificateIds = []*string{common.StringPtr(cloudCertId)}
+	createCertificateBindResourceSyncTaskReq.IsCache = common.Uint64Ptr(0)
+	createCertificateBindResourceSyncTaskResp, err := d.sdkClient.SSL.CreateCertificateBindResourceSyncTask(createCertificateBindResourceSyncTaskReq)
+	d.logger.Debug("sdk request 'ssl.CreateCertificateBindResourceSyncTask'", slog.Any("request", createCertificateBindResourceSyncTaskReq), slog.Any("response", createCertificateBindResourceSyncTaskResp))
+	if err != nil {
+		return false, fmt.Errorf("failed to execute sdk request 'ssl.CreateCertificateBindResourceSyncTask': %w", err)
+	}
+
+	// 查询证书关联云资源任务结果
+	// REF: https://cloud.tencent.com/document/api/400/97758
+	for {
+		select {
+		case <-ctx.Done():
+			return false, ctx.Err()
+		default:
+		}
+
+		describeCertificateBindResourceTaskDetailReq := tcssl.NewDescribeCertificateBindResourceTaskDetailRequest()
+		describeCertificateBindResourceTaskDetailReq.TaskId = createCertificateBindResourceSyncTaskResp.Response.CertTaskIds[0].TaskId
+		describeCertificateBindResourceTaskDetailReq.ResourceTypes = []*string{common.StringPtr("cos")}
+		describeCertificateBindResourceTaskDetailReq.Regions = []*string{common.StringPtr(d.config.Region)}
+		describeCertificateBindResourceTaskDetailReq.Offset = common.StringPtr("0")
+		describeCertificateBindResourceTaskDetailReq.Limit = common.StringPtr("100")
+		describeCertificateBindResourceTaskDetailResp, err := d.sdkClient.SSL.DescribeCertificateBindResourceTaskDetail(describeCertificateBindResourceTaskDetailReq)
+		d.logger.Debug("sdk request 'ssl.DescribeCertificateBindResourceTaskDetail'", slog.Any("request", describeCertificateBindResourceTaskDetailReq), slog.Any("response", describeCertificateBindResourceTaskDetailResp))
+		if err != nil {
+			return false, fmt.Errorf("failed to execute sdk request 'ssl.DescribeCertificateBindResourceTaskDetail': %w", err)
+		}
+
+		if describeCertificateBindResourceTaskDetailResp.Response.Status == nil || *describeCertificateBindResourceTaskDetailResp.Response.Status == 2 {
+			return false, errors.New("unexpected tencentcloud query task status")
+		} else if *describeCertificateBindResourceTaskDetailResp.Response.Status == 1 {
+			for _, record := range describeCertificateBindResourceTaskDetailResp.Response.COS {
+				for _, instance := range record.InstanceList {
+					if instance.Bucket == nil || *instance.Bucket != d.config.Bucket {
+						continue
+					}
+					if instance.Domain == nil || *instance.Domain != d.config.Domain {
+						continue
+					}
+					if instance.Status == nil || *instance.Status != "ENABLED" {
+						continue
+					}
+					return true, nil
+				}
+			}
+			return false, nil
+		}
+
+		d.logger.Info("waiting for tencentcloud query task completion")
+		time.Sleep(time.Second * 5)
+	}
+}
+
 func createSDKClients(secretId, secretKey, region string) (*wSDKClients, error) {
 	credential := common.NewCredential(secretId, secretKey)
 	client, err := tcssl.NewClient(credential, region, profile.NewClientProfile())
diff --git a/pkg/core/ssl-deployer/providers/tencentcloud-ssl-deploy/tencentcloud_ssl_deploy.go b/pkg/core/ssl-deployer/providers/tencentcloud-ssl-deploy/tencentcloud_ssl_deploy.go
index a3f6f015..bf670dea 100644
--- a/pkg/core/ssl-deployer/providers/tencentcloud-ssl-deploy/tencentcloud_ssl_deploy.go
+++ b/pkg/core/ssl-deployer/providers/tencentcloud-ssl-deploy/tencentcloud_ssl_deploy.go
@@ -118,6 +118,7 @@ func (d *SSLDeployerProvider) Deploy(ctx context.Context, certPEM string, privke
 
 		describeHostDeployRecordDetailReq := tcssl.NewDescribeHostDeployRecordDetailRequest()
 		describeHostDeployRecordDetailReq.DeployRecordId = common.StringPtr(fmt.Sprintf("%d", *deployCertificateInstanceResp.Response.DeployRecordId))
+		describeHostDeployRecordDetailReq.Limit = common.Uint64Ptr(200)
 		describeHostDeployRecordDetailResp, err := d.sdkClient.DescribeHostDeployRecordDetail(describeHostDeployRecordDetailReq)
 		d.logger.Debug("sdk request 'ssl.DescribeHostDeployRecordDetail'", slog.Any("request", describeHostDeployRecordDetailReq), slog.Any("response", describeHostDeployRecordDetailResp))
 		if err != nil {
diff --git a/pkg/core/ssl-deployer/providers/tencentcloud-ssl-update/tencentcloud_ssl_update.go b/pkg/core/ssl-deployer/providers/tencentcloud-ssl-update/tencentcloud_ssl_update.go
index 4395818e..cc685a0c 100644
--- a/pkg/core/ssl-deployer/providers/tencentcloud-ssl-update/tencentcloud_ssl_update.go
+++ b/pkg/core/ssl-deployer/providers/tencentcloud-ssl-update/tencentcloud_ssl_update.go
@@ -151,6 +151,7 @@ func (d *SSLDeployerProvider) executeUpdateCertificateInstance(ctx context.Conte
 
 		describeHostUpdateRecordDetailReq := tcssl.NewDescribeHostUpdateRecordDetailRequest()
 		describeHostUpdateRecordDetailReq.DeployRecordId = common.StringPtr(deployRecordId)
+		describeHostUpdateRecordDetailReq.Limit = common.StringPtr("200")
 		describeHostUpdateRecordDetailResp, err := d.sdkClient.DescribeHostUpdateRecordDetail(describeHostUpdateRecordDetailReq)
 		d.logger.Debug("sdk request 'ssl.DescribeHostUpdateRecordDetail'", slog.Any("request", describeHostUpdateRecordDetailReq), slog.Any("response", describeHostUpdateRecordDetailResp))
 		if err != nil {