com.mulesoft.agent.transport.WSConnection: Failed attempt to connect nro. 1 to the web socket client at mule-manager.anypoint.mulesoft.com: Connection refused.
Renew Server Certificates
Registering a Mule server in Anypoint Runtime Manager requires a valid certificate provisioned and signed by Runtime Manager. The certificate ensures secure communication between Runtime Manager and the Runtime Manager agent.
When a server certificate expires, Runtime Manager displays Disconnected
in the Status column
for the server on the Servers page.
The mule_agent.log
file displays a message like the following:
-
For Mule 3:
-
For Mule 4:
com.mulesoft.agent.transport.WSConnection: Failed attempt to connect nro. 1 to the web socket client at runtime-manager.anypoint.mulesoft.com: Connection refused.
For applications deployed to the server, Runtime Manager displays Unknown
in the Status column on the Applications page.
View a Certificate Expiration Date
To see the expiration date for a server:
-
From Anypoint Platform, select Runtime Manager.
-
Click the Servers tab.
-
Click the server name.
For servers in a server group or cluster, click the server group or cluster name and then click the server name.
The certificate expiration date appears on the server dashboard:
Figure 1. The arrow shows the Certificate expiration date on the Dashboard page.
Renew a Certificate from Runtime Manager
Before a certificate expires, you can renew it directly from Runtime Manager.
You can renew a certificate for a specific server or multiple servers within a cluster or group.
The status for the server must be Running
to update its certificate.
To renew a certificate for a standalone server:
-
From Anypoint Platform, select Runtime Manager.
-
Click the Servers tab.
-
Verify that the server status is
Running
. -
Click the server name.
-
Click Settings.
-
From the Actions menu, select Renew Certificate.
-
Select the checkbox to confirm your choice, and then click Renew.
-
Check Certificate expiration date to verify that the certificate is renewed successfully, and restart Mule runtime to start using the new certificates.
To renew a certificate for servers in a cluster or group:
-
From Anypoint Platform, select Runtime Manager.
-
Click the Servers tab.
-
Verify that the server status is
Running
. -
Click the group or cluster name.
-
Check the radio button to select the server or servers you want to update.
-
From the Actions menu, select Renew Certificate.
-
Select the checkbox to confirm your choice, and then click Renew.
-
Check Certificate expiration date to verify that the certificate renewed successfully.
If the Renew Certificate option in the Actions pull-down menu is not available after performing the previous steps, you may need to update your Agent version. The Server certificate renewal feature, which enables you to renew server certificates directly from Runtime Manager, was introduced by Runtime Manager 2.8.4. This feature requires Runtime Manager Agent 1.10.0 or later. You can hover over the Renew Certificate option in the Actions pull-down menu, and a tooltip in the UI indicates you the minimum required Runtime Agent version.
Renewing server certificates requires a manual runtime restart to start using the new certificates. |
If renewing the unexpired certificate via Runtime Manager fails, follow the steps in Renew a Certificate via the Command Line.
Renew a Certificate via the Command Line
You can use this method to renew a certificate even after it has expired.
The agent connects with Runtime Manager using mutual SSL authentication and stores the key pair
in the $MULE_HOME/conf/mule-agent.jks
file.
The key pair is valid for two years, after which the certificate expires and the connection with Runtime Manager terminates.
Make sure you disable MFA before implementing these steps. |
To renew the agent key pair:
-
Download the appropriate
agent-certificate-renewer-{version}.jar
file for your Mule version from Applications and Servers Displayed asunknown
ordisconnected
in Anypoint Runtime Manager Due to an Expired Key Pair. -
Move the JAR file to
$MULE_HOME/bin
and ensure that you have execute permission.For example, on Linux, enter
chmod +xx agent-certificate-renewer-{version}.jar
. -
Stop Mule.
-
Create a backup copy of the
$MULE_HOME/conf
directory. -
From
$MULE_HOME/bin
, run one of the following commands, depending on how you authenticate with Anypoint Platform:-
Nonfederated
Use your Anypoint Platform credentials on the command line:
java -jar ./agent-certificate-renewer-{version}.jar -u <username> -p <password>
-
External identity
Copy the registration token for the server from the Runtime Manager > Servers > Add Server popup screen and include it on the command line:
And execute the following command:
java -jar ./agent-certificate-renewer-{version}.jar -H <ServerToken>
-
Proxy connection
Use your Anypoint Platform and proxy server credentials on the command line:
java -jar agent-certificate-renewer-{version}.jar -u <username> -p <password> -P <host> <port> <username> <password>
-
US MuleSoft Government Cloud Control Plane
Use the following -r flag:
java -jar ./agent-certificate-renewer-{version}.jar -H <ServerToken> -r us_gov
-
EU Control Plane
Use the following -r flag:
java -jar ./agent-certificate-renewer-{version}.jar -u <username> -p <password> -r eu1
The command displays the following messages:
INFO: Connecting to Core Services to extract authentication token. INFO: Connecting to Runtime Manager to request a new certificate. INFO: Backing up current agent keystore. INFO: Generating and saving new keystore.
-