Search the VMware Knowledge Base (KB)
View by Article ID

VMware vCenter Server Appliance fails to start while regenerating self-signed SSL certificates (2073717)

  • 11 Ratings

Symptoms

When the IP address of vCenter Server Appliance (VCSA) is modified or when the Toggle certificate setting option in the Admin tab is used in the VCSA management UI at https://vcsa:5480, you experience these symptoms:
  • VMware vCenter Server Appliance (VCSA) fails to start after a reboot
  • Cannot start VCSA after rebooting
  • On the virtual machine console, you see the message:
Hostname or IP has changed. Regenerating the self-signed certificates.
Starting VMware vPostgres: ok
Waiting for the embedded database to start up: .[OK]

Cause

This issue occurs due to a mismatch between the automatically regenerated SSL certificates and those stored in the vCenter Single Sign-On (SSO) database.

Resolution

To resolve this issue, disable automatic SSL regeneration, stop the SSO service and manually regenerate the certificates. This procedure consists of two parts.

Note: Take a backup or a snapshot of the virtual machine before proceeding.

  1. Boot the appliance to Init Level 1 through Grub and delete the allow_regeneration file:


    1. Reset the virtual appliance and navigate to the console for the virtual machine in the vSphere Client.
    2. Click in the console and press any key to display the GRUB menu.

      Note: The GRUB prompt remains on screen for 7 seconds before it starts the boot sequence. To access the GRUB menu, you may need to force the virtual machine to boot into the BIOS. To do this, edit the settings of the virtual machine. Under the Options tab, in Boot Options, select Enable Force BIOS Setup. Exit the BIOS and continue the reboot.

    3. When prompted, enter the GRUB password.

      Note: If the VCSA was deployed without editing the root password in the Virtual Appliance Management Interface (VAMI), the default GRUB password is vmware. If the VCSA root password was reset using the VAMI, then the GRUB password is the password last set in the VAMI for the root account.

    4. On the GRUB menu, select VMware vCenter Server Appliance.
    5. Type e to edit the line. A list of items in the GRUB configuration file appears.
    6. Select the line that starts with Kernel and type e to edit the line.
    7. At the end of the line, press the space bar and type:

      init=/bin/sh.

    8. Press Enter to exit edit mode.
    9. On the GRUB screen, type b to boot into the single-user mode. The virtual appliance boots in single-user mode.
    10. Now, delete the file generated by the Toggle certificate setting option by running the command:

      rm /etc/vmware-vpx/ssl/allow_regeneration

    11. Reboot the appliance. 

  2. Regenerate new SSL certificates from command line:

    1. After you reboot the VCSA, ensure that the FQDN, DSN, IP and all network configuration are correct.
    2. To open a command-line utility to check network configuration, run the VAMI script:

      /opt/vmware/share/vami/vami_config_net

    3. Create a allow_regeneration file by running the command:

      touch /etc/vmware-vpx/ssl/allow_regeneration

    4. Stop the VMware VirtualCenter Server Service by running the command:

      service vmware-vpxd stop

    5. Stop the vCenter Single Sign-On service by running the command:

      In vCenter Server 5.5: service vmware-sts-idmd stop
      In vCenter Server 5.1: service vmware-sso stop

    6. Regenerate the SSL certificate by running the command:

      source vpxd_commonutils; generate_all_certificates replace

      Note: The output is VC_CFG_RESULT=0.

    7. Remove the regeneration flag by removing the allow_regeneration file:

      rm /etc/vmware-vpx/ssl/allow_regeneration

    8. Reboot VCSA to ensure all the services and the certificates are running.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 11 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 11 Ratings
Actions
KB: