This post is for those running into an issue with CA signed certificates while using the VCS to VCSA migration fling. It wouldn't let me post this in the discussion thread over there.
For those of you who are running into this issue, here's what I did to get vpxd running again.
Log into the converter appliance after it has completed "successfully" and copy the SSL certificate directories/tmp/<XXXXXXX>/iscerts (inventory service) and /tmp/<XXXXXXX>/vccerts (vCenter server) over to the new VCSA (I created a directory /ssl). The <XXXXX> directories are randomly generated characters. Each will be different
Please be sure that there are no DOS characters left over in the files (eg. '^M' at the end of each line). There's a sed command out there that can strip them out if you don't want to do it by hand.
create a directory to backup the old inventory service and vcenter certificates:
vcsa:/ # mkdir /etc/vmware-vpx/ssl/backup
vcsa:/ # mkdir /usr/lib/vmware-vpx/inventoryservice/ssl/backup
move or copy the current certificates into that directory
vcsa:/ # mv /etc/vmware-vpx/ssl/* /etc/vmware-vpx/ssl/backup
vcsa:/ # mv /usr/lib/vmware-vpx/inventoryservice/ssl/* /usr/lib/vmware-vpx/inventoryservice/ssl/backup
copy the signed certs into their respective directories
vcsa:/ # cp /ssl/iscerts/rui.* /usr/lib/vmware-vpx/inventoryservice/ssl/
vcsa:/ # cp /ssl/iscerts/rui-ca-cert.pem /usr/lib/vmware-vpx/inventoryservice/ssl/
vcsa:/ # cp /ssl/vccerts/rui.* /etc/vmware-vpx/ssl/
vcsa:/ # cp /ssl/iscerts/rui-ca-cert.pem /etc/vmware-vpx/ssl/
re-encrypt the password to the database:
vcsa:/ # cat /etc/vmware-vpx/vcdb.properties
driver = org.postgresql.Driver
dbtype = PostgreSQL
url = jdbc:postgresql://127.0.0.1:5432/VCDB
username = vc
password = <copy this password>
password.encrypted = false
vcsa:/ # vpxd -p <the copied password>
De-crypt the current LDAP (SSO) password by using the the following command:
grep '^userPwd=' /etc/vmware-vpx/instance.cfg.bak | cut -c 9- | tr -d '\\\\' | base64 -d | python -c "import sys
data = sys.stdin.read()
data_len = len(data)
for i in range(data_len):
sys.stdout.write(data[data_len-i-1])
" | openssl rsautl -inkey /etc/vmware-vpx/ssl.bak/rui.key -pkcs -decrypt
the location "/etc/vmware-vpx/ssl.bak/" I believe is created by the converter appliance during the copy operation.
the file "/etc/vmware-vpx/instance.cfg.bak" I also believe is created by the converter. I'm not 100% on that though, YMMV.
If the command completed correctly, you should see a string a random characters like aB1@3cDe4(fG56h. If you have the wrong key, it'll throw an error at you.
Now to get a new hash of the password created with the correct rui.key file from the previous vcenter server
echo -n "<retrieved key>" | openssl rsautl -inkey /etc/vmware-vpx/ssl/rui.key -pkcs -encrypt | python -c "import sys
data = sys.stdin.read()
data_len = len(data)
for i in range(data_len):
sys.stdout.write(data[data_len-i-1])
" | base64 -w0 | sed 's/=/\\=/g'
copy the current instance.cfg to a backup
vcsa:/ # cp /etc/vmware-vpx/instance.cfg /etc/vmware-vpx/instace.cfg.original
the use vi to edit instance.cfg and replace the old hash on the "userPwd=" line with your new hash.
vcsa:/ # vi /etc/vmware-vpx/instance.cfg
#Fri Jan 08 17:43:22 UTC 2016
applicationDN=dc\=virtualcenter,dc\=vmware,dc\=int
userPwd= >--------------<THIS BIG HASH CODE RIGHT HERE>------------------<
ldapInstanceName=VMwareVCMSDS
ldapPort=389
userDN=cn\=Administrator,dc\=virtualcenter,dc\=vmware,dc\=int
ldapHost=127.0.0.1
ldapStoragePath=/etc/vmware-vpx//VMwareVCMSDS
~
~
At this point, I had started vpxd up because I was anxious but was unable to log into vcenter with the SSO admin account. I ended up resetting it using KB 2034608 (http://kb.vmware.com/kb/2034608) and I was able to log in again, but was still getting vcenter errors and the inventory was empty. I decided to re-register the two services back with SSO
Stop the vcenter and sso services
vcsa:/ # service vmware-stsd stop
vcsa:/ # service vmware-vpxd stop
Follow KB article 2097934 (http://kb.vmware.com/kb/2097934) from step 5 thru 10, skip 11 then do 12, 13 and 14. Those steps will re-register the vcenter and inventory services with SSO
At this point I restarted the VCSA and luckily everything came back up. I had to reconnect my hosts (due to resetting the inventory database as a previous troubleshooting step) but everything looks fine now.
Again, YMMV greatly - but these steps helped me work through it.
BIG shout-out to praseodymium on the communities thread https://communities.vmware.com/thread/504830?start=0&tstart=0. They're probably the only reason I was able to get this to work with those little decryption/encryption scripts.