Contact Us 1-800-596-4880

Renew Server Certificates

Registering a Mule server in Anypoint Runtime Manager requires a valid certificate provisioned and signed by Runtime Manager. The certificate ensures secure communication between Runtime Manager and the Runtime Manager agent.

When a server certificate expires, Runtime Manager displays Disconnected in the Status column for the server on the Servers page. The mule_agent.log file displays a message like the following:

  • For Mule 3:

com.mulesoft.agent.transport.WSConnection: Failed attempt to connect nro. 1 to the web socket client at mule-manager.anypoint.mulesoft.com: Connection refused.
  • For Mule 4:

com.mulesoft.agent.transport.WSConnection: Failed attempt to connect nro. 1 to the web socket client at runtime-manager.anypoint.mulesoft.com: Connection refused.

For applications deployed to the server, Runtime Manager displays Unknown in the Status column on the Applications page.

View a Certificate Expiration Date

To see the expiration date for a server:

  1. From Anypoint Platform, select Runtime Manager.

  2. Click the Servers tab.

  3. Click the server name.

    For servers in a server group or cluster, click the server group or cluster name and then click the server name.

    The certificate expiration date appears on the server dashboard:

    Certificate expiration date on the Dashboard page
    Figure 1. The arrow shows the Certificate expiration date on the Dashboard page.

Renew a Certificate from Runtime Manager

Before a certificate expires, you can renew it directly from Runtime Manager.

You can renew a certificate for a specific server or multiple servers within a cluster or group.

The status for the server must be Running to update its certificate.

To renew a certificate for a standalone server:

  1. From Anypoint Platform, select Runtime Manager.

  2. Click the Servers tab.

  3. Verify that the server status is Running.

  4. Click the server name.

    Select Server
  5. Click Settings.

  6. From the Actions menu, select Renew Certificate.

    Settings Tab
  7. Select the checkbox to confirm your choice, and then click Renew.

    Confirm Renewal
  8. Check Certificate expiration date to verify that the certificate is renewed successfully, and restart Mule runtime to start using the new certificates.

To renew a certificate for servers in a cluster or group:

  1. From Anypoint Platform, select Runtime Manager.

  2. Click the Servers tab.

  3. Verify that the server status is Running.

  4. Click the group or cluster name.

    Select Group or Cluster
  5. Check the radio button to select the server or servers you want to update.

  6. From the Actions menu, select Renew Certificate.

    Select Server
  7. Select the checkbox to confirm your choice, and then click Renew.

    Confirm Renewal
  8. Check Certificate expiration date to verify that the certificate renewed successfully.

If the Renew Certificate option in the Actions pull-down menu is not available after performing the previous steps, you may need to update your Agent version. The Server certificate renewal feature, which enables you to renew server certificates directly from Runtime Manager, was introduced by Runtime Manager 2.8.4. This feature requires Runtime Manager Agent 1.10.0 or later. You can hover over the Renew Certificate option in the Actions pull-down menu, and a tooltip in the UI indicates you the minimum required Runtime Agent version.

Renewing server certificates requires a manual runtime restart to start using the new certificates.

If renewing the unexpired certificate via Runtime Manager fails, follow the steps in Renew a Certificate via the Command Line.

Renew a Certificate via the Command Line

You can use this method to renew a certificate even after it has expired.

The agent connects with Runtime Manager using mutual SSL authentication and stores the key pair in the $MULE_HOME/conf/mule-agent.jks file. The key pair is valid for two years, after which the certificate expires and the connection with Runtime Manager terminates.

Make sure you disable MFA before implementing these steps.

To renew the agent key pair:

  1. Download the appropriate agent-certificate-renewer-{version}.jar file for your Mule version from Applications and Servers Displayed as unknown or disconnected in Anypoint Runtime Manager Due to an Expired Key Pair.

  2. Move the JAR file to $MULE_HOME/bin and ensure that you have execute permission.

    For example, on Linux, enter chmod +xx agent-certificate-renewer-{version}.jar.

  3. Stop Mule.

  4. Create a backup copy of the $MULE_HOME/conf directory.

  5. From $MULE_HOME/bin, run one of the following commands, depending on how you authenticate with Anypoint Platform:

    • Nonfederated

      Use your Anypoint Platform credentials on the command line:

      java -jar ./agent-certificate-renewer-{version}.jar -u <username> -p <password>

    • External identity

      Copy the registration token for the server from the Runtime Manager > Servers > Add Server popup screen and include it on the command line:

      Add Registration Token

      And execute the following command:

      java -jar ./agent-certificate-renewer-{version}.jar -H <ServerToken>

    • Proxy connection

      Use your Anypoint Platform and proxy server credentials on the command line:

      java -jar agent-certificate-renewer-{version}.jar -u <username> -p <password> -P <host> <port> <username> <password>

    • US MuleSoft Government Cloud Control Plane

      Use the following -r flag:

      java -jar ./agent-certificate-renewer-{version}.jar -H <ServerToken> -r us_gov

    • EU Control Plane

      Use the following -r flag:

      java -jar ./agent-certificate-renewer-{version}.jar -u <username> -p <password> -r eu1

    The command displays the following messages:

    INFO: Connecting to Core Services to extract authentication token.
    INFO: Connecting to Runtime Manager to request a new certificate.
    INFO: Backing up current agent keystore.
    INFO: Generating and saving new keystore.