diff --git a/get-certs.sh b/get-certs.sh
index 474d520..f3f91f0 100755
--- a/get-certs.sh
+++ b/get-certs.sh
@@ -90,6 +90,7 @@ while read -r host; do
 
   # If "tor" option is used, then connect again via Tor,
   # to check if we get the same cert from a different network perspective.
+  mismatch=0
   if [ "${1:-}" = 'tor' ] && [ -n "${host##*.onion}" ]; then
 
     # If torsocks is not installed, return.
@@ -101,9 +102,11 @@ while read -r host; do
     cert_via_tor=$(fetch_cert "$host_and_port" 'timeout 25' 'torsocks')
 
     if [ -z "$cert_via_tor" ]; then
+      # Tor connection failed.
       [ -n "$cert" ] && >&2 echo  # output empty line to stderr if cert was downloaded without Tor
       >&2 echo "$host_and_port - Tor connection failed"
     elif [ -n "$cert" ] && [ "$cert" != "$cert_via_tor" ]; then
+      # Mismatch.
       >&2 echo "$host_and_port - Tor VERIFICATION FAILED (certs don't match)!!!"
       # In this case, don't save any certificate to file.
       # Output both certificates to stderr instead.
@@ -111,7 +114,7 @@ while read -r host; do
       >&2 echo "$cert"
       >&2 echo "CERT VIA TOR:"
       >&2 echo "$cert_via_tor"
-      continue
+      mismatch=1
     else
       # If direct connection failed and Tor connection succeeded,
       # use the cert received via Tor.
@@ -120,15 +123,19 @@ while read -r host; do
 
   fi
 
-  if [ -n "$cert" ]; then
+  if [ $mismatch -eq 1 ]; then
+    # Mismatch.
+    printf ' - failed (cert mismatch!)'
+  elif [ -z "$cert" ]; then
+    # No certificate received.
+    printf ' - failed'
+  else
     # If we got a cert back, then the host and port were valid,
     # so they are safe to include in a file name.
     # Convert from punycode to unicode, if needed.
     host_and_port=$(echo "$host_and_port" | idn --allow-unassigned --idna-to-unicode)
     echo "$cert" > "certs/${host_and_port}.pem"
     printf ' - OK'
-  else
-    printf ' - failed'
   fi
 
   echo  # newline