When setting up a custom domain with an Okta-managed TLS certificate, it is possible to run into the following Domain Name System (DNS) verification error:
The certificate could not be provisioned. Double check that your DNS entries are correct, or wait a few minutes for propagation.
- Custom Domain
- Domain Name System (DNS) errors
Sometimes, the Domain name registrar might take up to 24 hours for the new custom DNS changes to propagate.
Please verify the below:
- Verifying that the DNS record value was correctly pasted from the Okta configuration page onto the Domain registrar end DNS settings.
- If the above error is seen, check the Okta System Logs to confirm if the DNS verification timeout error is also present.
- Perform a DNS lookup of the newly created DNS record using any external tool to verify that it is correctly configured.
- For example, it is possible to use Google's Dig tool to check the DNS record.
NOTE: Depending on the registrar, it may be necessary to enter the subdomain part. For example, if the subdomain id.example.com is picked, the registrar may only require the creation of a CNAME record for id (because .example.com is implied). If needed, check the registrar's documentation.
If the records are publicly available but the error is still visible on the Okta configuration page, try re-creating the custom domain.
If the error errorCode:E0000165, errorSummary":Domain not verified is returned by the Aerial create org API request with a custom domain, wait for the domain info to be propagated and verify it by performing a DNS lookup, then run POST /api/v1/domains/{domainId}/verify and re-create the org.
