Contact Free trial Login

Renew Server Certificates

logo cloud disabled logo hybrid active logo server active logo rtf disabled

Registering a Mule server in Anypoint Runtime Manager requires a valid certificate provisioned and signed by Runtime Manager. The certificate ensures secure communication between Runtime Manager and the Runtime Manager agent.

When a server certificate expires, Runtime Manager displays Disconnected in the Status column for the server on the Servers page. The mule-agent.log file displays a message like the following:

com.mulesoft.agent.transport.WSConnection: Failed attempt to connect nro. 1 to the web socket client at Connection refused.

For applications deployed to the server, Runtime Manager displays Unknown in the Status column on the Applications page.

View a Certificate Expiration Date

To see the expiration date for a server:

  1. From Anypoint Platform, select Runtime Manager.

  2. Click the Servers tab.

  3. Click the server name.

    For servers in a server group or cluster, click the server group or cluster name and then click the server name.

    The certificate expiration date appears on the server dashboard:

    Certificate expiration date on the Dashboard page
    Figure 1. The arrow shows the Certificate expiration date on the Dashboard page.

Renew a Certificate before It Expires

Before a certificate expires, you can renew it directly from Runtime Manager.

You can renew a certificate for a specific server or multiple servers within a cluster or group.

The status for the server must be Running to update its certificate.

To renew a certificate for a server:

  1. From Anypoint Platform, select Runtime Manager.

  2. Click the Servers tab.

  3. Verify that the server status is Running.

  4. Click the server name.

  5. Click Settings.

  6. From the Actions menu, select Renew Certificate.

  7. Select the checkbox to confirm your choice, and then click Renew.

  8. Check Certificate expiration date to verify that the certificate renewed successfully.

If renewing the unexpired certificate fails, follow the steps in Renew a Certificate after It Expires.

Renew a Certificate after It Expires

The agent connects with Runtime Manager using mutual SSL authentication and stores the key pair in the $MULE_HOME/conf/mule-agent.jks file. The key pair is valid for two years, after which the certificate expires and the connection with Runtime Manager terminates.

To renew the agent key pair:

  1. Download the agent-certificate-renewer.jar file for your Mule version from Applications and Servers showing as unknown and disconnected state in Anypoint Runtime Manager due to expired key pair.

  2. Move the JAR file to $MULE_HOME/bin and ensure that you have execute permission.

    For example, on Linux, enter chmod +xx agent-certificate-renewer.jar.

  3. Stop Mule.

  4. Create a backup copy of the $MULE_HOME/conf directory.

  5. From $MULE_HOME/bin, run one of the following commands, depending on how you authenticate with Anypoint Platform:

    • Nonfederated

      Use your Anypoint Platform credentials on the command line:

      java -jar ./agent-certificate-renewer.jar -u username -p password

    • External identity

      Copy the registration token for the server from the Runtime Manager > Servers > Add Server page and include it on the command line:

      java -jar ./agent-certificate-renewer.jar -H ServerToken

    • Proxy connection

      Use your Anypoint Platform and proxy server credentials on the command line:

      java -jar agent-certificate-renewer.jar -u username -p password -P host port username password

    The command displays the following messages:

    INFO: Connecting to Core Services to extract authentication token.
    INFO: Connecting to Runtime Manager to request a new certificate.
    INFO: Backing up current agent keystore.
    INFO: Generating and saving new keystore.

Was this article helpful?

💙 Thanks for your feedback!

Edit on GitHub