diff --git a/certbot/files/hooks/haproxy.sh b/certbot/files/hooks/haproxy.sh
index 20d68fde..0ddc32e8 100644
--- a/certbot/files/hooks/haproxy.sh
+++ b/certbot/files/hooks/haproxy.sh
@@ -22,12 +22,21 @@ haproxy_bin=$(command -v haproxy)
 if [ -n "$(pidof haproxy)" ] && [ -n "${haproxy_bin}" ]; then
     if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
         haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
+        failed_cert_file="/root/$(basename "${RENEWED_LINEAGE}").failed.pem"
 
         debug "Concatenating certificate files to ${haproxy_cert_file}"
         cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
         chmod 600 "${haproxy_cert_file}"
         chown root: "${haproxy_cert_file}"
 
+        haproxy_cert_md5=$(openssl x509 -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
+        haproxy_key_md5=$(openssl rsa -noout -modulus -in "${haproxy_cert_file}" | openssl md5)
+
+        if [ "${haproxy_cert_md5}" != "${haproxy_key_md5}" ]; then
+            mv "${haproxy_cert_file}" "${failed_cert_file}"
+            error "Key and cert don't match, we moved the file to ${failed_cert_file} for inspection"
+        fi
+
         if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
             debug "HAProxy detected... reloading"
             systemctl reload apache2