To resolve this issue, disable automatic SSL regeneration, stop the SSO service and manually regenerate the certificates. This procedure consists of two parts.
Note: Take a backup or a snapshot of the virtual machine before proceeding.
- Boot the appliance to Init Level 1 through Grub and delete the allow_regeneration file:
- Reset the virtual appliance and navigate to the console for the virtual machine in the vSphere Client.
- Click in the console and press any key to display the GRUB menu.
Note: The GRUB prompt remains on screen for 7 seconds before it starts the boot sequence. To access the GRUB menu, you may need to force the virtual machine to boot into the BIOS. To do this, edit the settings of the virtual machine. Under the Options tab, in Boot Options, select Enable Force BIOS Setup. Exit the BIOS and continue the reboot.
- When prompted, enter the GRUB password.
Note: If the VCSA was deployed without editing the root password in the Virtual Appliance Management Interface (VAMI), the default GRUB password is vmware. If the VCSA root password was reset using the VAMI, then the GRUB password is the password last set in the VAMI for the root account.
- On the GRUB menu, select VMware vCenter Server Appliance.
- Type e to edit the line. A list of items in the GRUB configuration file appears.
- Select the line that starts with Kernel and type e to edit the line.
- At the end of the line, press the space bar and type:
init=/bin/sh.
- Press Enter to exit edit mode.
- On the GRUB screen, type b to boot into the single-user mode. The virtual appliance boots in single-user mode.
- Now, delete the file generated by the Toggle certificate setting option by running the command:
rm /etc/vmware-vpx/ssl/allow_regeneration
- Reboot the appliance.
- Regenerate new SSL certificates from command line:
- After you reboot the VCSA, ensure that the FQDN, DSN, IP and all network configuration are correct.
- To open a command-line utility to check network configuration, run the VAMI script:
/opt/vmware/share/vami/vami_config_net
- Create a allow_regeneration file by running the command:
touch /etc/vmware-vpx/ssl/allow_regeneration
- Stop the VMware VirtualCenter Server Service by running the command:
service vmware-vpxd stop
- Stop the vCenter Single Sign-On service by running the command:
In vCenter Server 5.5: service vmware-sts-idmd stop
In vCenter Server 5.1: service vmware-sso stop
- Regenerate the SSL certificate by running the command:
source vpxd_commonutils; generate_all_certificates replace
Note: The output is VC_CFG_RESULT=0.
- Remove the regeneration flag by removing the allow_regeneration file:
rm /etc/vmware-vpx/ssl/allow_regeneration
- Reboot VCSA to ensure all the services and the certificates are running.