To upgrade OpenResty to version 1.21.14.1-1b, perform the following steps.

Procedure

  1. Scan all Carbon Black EDR certificates to detect certificates that are incompatible with OpenSSL 1.1.1+. See Scanning Certificates.
  2. Regenerate all incompatible certificates. See Regenerating Certificates.
    Caution: It is critical to make sure that all online sensors are continuously checking in with the server before you proceed with the OpenResty upgrade.

    You must also address the status of sensors that were offline during the Client CA regeneration process (Client Certificate Authority, Step 6).

    Failure to take these steps can prevent affected sensors from successfully checking in and sending data to the server after the OpenResty upgrade.

  3. Create a secure backup of all existing certificates to ensure that you can revert to the previous state if necessary. Run the following command:

    # /usr/share/cb/cbssl backup --out <backup_file_name>

  4. Stop the Carbon Black EDR enterprise or cluster. This action prevents potential conflicts or issues during the regeneration.
  5. Upgrade OpenResty.
    • Cluster
      1. Run the following command (in the cbcluster script) on the primary or standalone node: # /usr/share/cb/cbcluster openresty-upgrade
      Note: If failures are reported during the upgrade across primary or minion nodes, Carbon Black EDR recommends that you manually run the following steps on the primary and each minion node to assure that there are no anomalies.
      1. # rpm -e openresty-openssl-1.0.2zd-1a.cb.el8 --nodeps
      2. # rpm -e openresty-1.21.4.1-1a.cb.el8 --nodeps
      3. # yum install -y openresty-1.21.4.1-1b.cb.el8
      4. # cd /etc/cb/certs
      5. # mkdir -p orig.cbssl.regenerate
      6. # cp cb-client-ca-bundle.crt orig.cbssl.regenerate/cb-client-ca-bundle.crt.bak
      7. # rm cb-client-ca-bundle.crt
    • Standalone
      1. # rpm -e openresty-openssl-1.0.2zd-1a.cb.el8 --nodeps
      2. # rpm -e openresty-1.21.4.1-1a.cb.el8 --nodeps
      3. # yum install -y openresty-1.21.4.1-1b.cb.el8
      4. # cd /etc/cb/certs
      5. # mkdir -p orig.cbssl.regenerate
      6. # cp cb-client-ca-bundle.crt orig.cbssl.regenerate/cb-client-ca-bundle.crt.bak
      7. # rm cb-client-ca-bundle.crt
  6. Start the Carbon Black EDR enterprise or cluster.