After updating the Secure Sockets Layer (SSL) certificate for a custom domain, the OAG IdP validation fails with the following error:
ACCESS_GATEWAY WEB_CONSOLE handling service exception: com.icsynergy.spgateway.service.OktaServiceException Error: com.icsynergy.spgateway.domain.SPGWError(type:SPGW_NETWORK_CONNECTION, status:0, code:SPGW_NETWORK_CONNECTION, message:Network IOException Occurred:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, developerMessage:Network IOException Occurred:class javax.net.ssl.SSLHandshakeException, errors:[:], context:null
- Okta Access Gateway (OAG)
- Secure Sockets Layer (SSL)
- Okta Classic Engine
- Okta Identity Engine (OIE)
The following are the potential reasons that can result in this issue:
- The chain is not properly uploaded in Okta for the custom domain.
- OAG does not have the root CA in the Java trust store.
- SSL inspection at WAF is manipulating the certificate.
To resolve this issue, please follow the steps below:
- Ensure the complete certificate chain is loaded into Okta. To validate the certificate chain, use Curl or a third-party site.
- Ensure there is no SSL inspection or any operation between OAG Admin and Okta org that can update the payload.
- The OAG Java trust store is updated when the OAG Java packages are updated. Upgrade to the latest version of OAG, as the trust store will be updated, and the validation will go through.
NOTE: An upgrade will not resolve the issue if the issue is with the certificate chain or WAF. Please make sure to rule these two out before performing an upgrade.
