VMware vCenter Server Appliance fails to start while regenerating self-signed SSL certificates
search cancel

VMware vCenter Server Appliance fails to start while regenerating self-signed SSL certificates


Article ID: 341112


Updated On:


VMware vCenter Server


When the IP address of vCenter Server Appliance (VCSA) is modified or when the Toggle certificate setting option in the Admin tab is used in the VCSA management UI at https://vcsa:5480, you experience these symptoms:
  • VMware vCenter Server Appliance (VCSA) fails to start after a reboot
  • Cannot start VCSA after rebooting
  • On the virtual machine console, you see the message:
Hostname or IP has changed. Regenerating the self-signed certificates.
Starting VMware vPostgres: ok
Waiting for the embedded database to start up: .[OK]


VMware vCenter Server Appliance 5.1.x
VMware vCenter Server Appliance 5.5.x


This issue occurs due to a mismatch between the automatically regenerated SSL certificates and those stored in the vCenter Single Sign-On (SSO) database.


To resolve this issue, disable automatic SSL regeneration, stop the SSO service and manually regenerate the certificates. This procedure consists of two parts.

Note: Take a backup or a snapshot of the virtual machine before proceeding.

  1. Boot the appliance to Init Level 1 through Grub and delete the allow_regeneration file:

    1. Reset the virtual appliance and navigate to the console for the virtual machine in the vSphere Client.
    2. Click in the console and press any key to display the GRUB menu.

      Note: The GRUB prompt remains on screen for 7 seconds before it starts the boot sequence. To access the GRUB menu, you may need to force the virtual machine to boot into the BIOS. To do this, edit the settings of the virtual machine. Under the Options tab, in Boot Options, select Enable Force BIOS Setup. Exit the BIOS and continue the reboot.

    3. When prompted, enter the GRUB password.

      Note: If the VCSA was deployed without editing the root password in the Virtual Appliance Management Interface (VAMI), the default GRUB password is vmware. If the VCSA root password was reset using the VAMI, then the GRUB password is the password last set in the VAMI for the root account.

    4. On the GRUB menu, select VMware vCenter Server Appliance.
    5. Type e to edit the line. A list of items in the GRUB configuration file appears.
    6. Select the line that starts with Kernel and type e to edit the line.
    7. At the end of the line, press the space bar and type:


    8. Press Enter to exit edit mode.
    9. On the GRUB screen, type b to boot into the single-user mode. The virtual appliance boots in single-user mode.
    10. Now, delete the file generated by the Toggle certificate setting option by running the command:

      rm /etc/vmware-vpx/ssl/allow_regeneration

    11. Reboot the appliance.

  2. Regenerate new SSL certificates from command line:

    1. After you reboot the VCSA, ensure that the FQDN, DSN, IP and all network configuration are correct.
    2. To open a command-line utility to check network configuration, run the VAMI script:


    3. Create a allow_regeneration file by running the command:

      touch /etc/vmware-vpx/ssl/allow_regeneration

    4. Stop the VMware VirtualCenter Server Service by running the command:

      service vmware-vpxd stop

    5. Stop the vCenter Single Sign-On service by running the command:

      In vCenter Server 5.5: service vmware-sts-idmd stop
      In vCenter Server 5.1: service vmware-sso stop

    6. Regenerate the SSL certificate by running the command:

      source vpxd_commonutils; generate_all_certificates replace

      Note: The output is VC_CFG_RESULT=0.

    7. Remove the regeneration flag by removing the allow_regeneration file:

      rm /etc/vmware-vpx/ssl/allow_regeneration

    8. Reboot VCSA to ensure all the services and the certificates are running.

Additional Information

自己署名 SSL 証明書の再生成中に VMware vCenter Server Appliance の起動に失敗する
在重新生成自签名 SSL 证书时,VMware vCenter Server Appliance 启动失败