<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Okta DNS Verification Error "The certificate could not be provisioned" When Setting Up a Custom Domain

Last Updated:

Administration
Okta Classic Engine
Okta Identity Engine

Overview

During the setup of a custom domain with an Okta-managed Transport Layer Security (TLS) certificate, a Domain Name System (DNS) verification error occurs because the domain name registrar requires up to 24 hours for new custom DNS changes to propagate. Resolve this by verifying the DNS records, checking the System Log, and recreating the custom domain if necessary. Okta generates the following DNS verification error:

 

The certificate could not be provisioned. Double check that your DNS entries are correct, or wait a few minutes for propagation.

 

Error Message

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Custom Domain
  • Domain Name System (DNS)

Cause

  • The domain name registrar requires up to 24 hours for the new custom DNS changes to propagate.

Solution

How is the DNS verification error resolved?

Verify the DNS record value, check the System Log for timeout errors, perform a DNS lookup, and recreate the custom domain.

  1. Verify that the DNS record value matches the exact value provided on the Okta configuration page and entered into the domain registrar DNS settings.
  2. Check the Okta System Log to confirm if the DNS verification timeout error is present.
    The following image displays an example of the DNS verification timeout event in the Okta System Log.
    Okta System Logs Event
  3. Perform a DNS lookup of the newly created DNS record using an external tool, such as Google's Dig tool, to verify the configuration.

NOTE: Depending on the registrar, entering the subdomain part is sometimes necessary. For example, if selecting the subdomain id.example.com, the registrar only requires the creation of a Canonical Name (CNAME) record for id because .example.com is implied. Check the registrar documentation for specific requirements. Recreate the custom domain if the records are publicly available but the error remains visible on the Okta configuration page.

How is the Domain not verified error resolved?

If the Aerial create org API request returns the errorCode:E0000165, errorSummary":Domain not verified error with a custom domain, wait for the domain information to propagate.

  1. Verify the propagation by performing a DNS lookup.
  2. Run the POST /api/v1/domains/{domainId}/verify request and recreate the org.

Related References

Recommended content

Still looking for help?
Loading
Okta Support - Okta DNS Verification Error "The certificate could not be provisioned" When Setting Up a Custom Domain