In order to check if the cert and key match use this,
(openssl x509 -noout -modulus -in /etc/ssl/certs/cacert.pem | openssl md5 ;\
openssl rsa -noout -modulus -in /etc/ssl/private/server.key | openssl md5) | uniq
If you get more than one identifier, then you key and cert don't match.
Just create a new one;
openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/cacert.pem -keyout /etc/ssl/private/server.key
Cheers!