Renew Server Certificates

logo cloud disabled logo hybrid active logo server active logo rtf disabled

Registering a Mule server in Anypoint Runtime Manager requires a valid certificate provisioned and signed by Runtime Manager. The certificate ensures secure communication between Runtime Manager and the Runtime Manager agent.

When a server certificate expires, Runtime Manager displays Disconnected in the Status column for the server on the Servers page. The mule_agent.log file displays a message like the following:

  • For Mule 3:

com.mulesoft.agent.transport.WSConnection: Failed attempt to connect nro. 1 to the web socket client at mule-manager.anypoint.mulesoft.com: Connection refused.
  • For Mule 4:

com.mulesoft.agent.transport.WSConnection: Failed attempt to connect nro. 1 to the web socket client at runtime-manager.anypoint.mulesoft.com: Connection refused.

For applications deployed to the server, Runtime Manager displays Unknown in the Status column on the Applications page.

View a Certificate Expiration Date

To see the expiration date for a server:

  1. From Anypoint Platform, select Runtime Manager.

  2. Click the Servers tab.

  3. Click the server name.

    For servers in a server group or cluster, click the server group or cluster name and then click the server name.

    The certificate expiration date appears on the server dashboard:

    Certificate expiration date on the Dashboard page
    Figure 1. The arrow shows the Certificate expiration date on the Dashboard page.

Renew a Certificate before It Expires

Before a certificate expires, you can renew it directly from Runtime Manager.

You can renew a certificate for a specific server or multiple servers within a cluster or group.

The status for the server must be Running to update its certificate.

To renew a certificate for a standalone server:

  1. From Anypoint Platform, select Runtime Manager.

  2. Click the Servers tab.

  3. Verify that the server status is Running.

  4. Click the server name.

    Select Server
  5. Click Settings.

  6. From the Actions menu, select Renew Certificate.

    Settings Tab
  7. Select the checkbox to confirm your choice, and then click Renew.

    Confirm Renewal
  8. Check Certificate expiration date to verify that the certificate renewed successfully.

To renew a certificate for servers in a cluster or group:

  1. From Anypoint Platform, select Runtime Manager.

  2. Click the Servers tab.

  3. Verify that the server status is Running.

  4. Click the group or cluster name.

    Select Group or Cluster
  5. Check the radio button to select the server or servers you want to update.

  6. From the Actions menu, select Renew Certificate.

    Select Server
  7. Select the checkbox to confirm your choice, and then click Renew.

    Confirm Renewal
  8. Check Certificate expiration date to verify that the certificate renewed successfully.

If the Renew Certificate option in the Actions pull-down menu is not available after performing the previous steps, you may need to update your Agent version. The Server certificate renewal feature, which enables you to renew server certificates directly from Runtime Manager, was introduced by Runtime Manager 2.8.4. This feature requires Runtime Manager Agent 1.10.0 or later. You can hover over the Renew Certificate option in the Actions pull-down menu, and a tooltip in the UI will indicate you the minimum required Runtime Agent version.

Renewing server certificates does not trigger a runtime restart.

If renewing the unexpired certificate fails, follow the steps in Renew a Certificate after It Expires.

Renew a Certificate after It Expires

The agent connects with Runtime Manager using mutual SSL authentication and stores the key pair in the $MULE_HOME/conf/mule-agent.jks file. The key pair is valid for two years, after which the certificate expires and the connection with Runtime Manager terminates.

To renew the agent key pair:

  1. Download the agent-certificate-renewer.jar file for your Mule version from Applications and Servers showing as unknown and disconnected state in Anypoint Runtime Manager due to expired key pair.

  2. Move the JAR file to $MULE_HOME/bin and ensure that you have execute permission.

    For example, on Linux, enter chmod +xx agent-certificate-renewer.jar.

  3. Stop Mule.

  4. Create a backup copy of the $MULE_HOME/conf directory.

  5. From $MULE_HOME/bin, run one of the following commands, depending on how you authenticate with Anypoint Platform:

    • Nonfederated

      Use your Anypoint Platform credentials on the command line:

      java -jar ./agent-certificate-renewer.jar -u username -p password

    • External identity

      Copy the registration token for the server from the Runtime Manager > Servers > Add Server page and include it on the command line:

      java -jar ./agent-certificate-renewer.jar -H ServerToken

    • Proxy connection

      Use your Anypoint Platform and proxy server credentials on the command line:

      java -jar agent-certificate-renewer.jar -u username -p password -P host port username password

    The command displays the following messages:

    INFO: Connecting to Core Services to extract authentication token.
    INFO: Connecting to Runtime Manager to request a new certificate.
    INFO: Backing up current agent keystore.
    INFO: Generating and saving new keystore.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub