OAG Upgrade/Package Installation failing with SSL_ERROR_SYSCALL
Jun 21, 2024
Okta Classic Engine
Access Gateway
Okta Identity Engine
Overview
Following SSL connect error has been noticed when admin tries to install a package OR upgrade OAG appliance:
Errors during downloading metadata for repository 'oagProdDrivers': - Curl error (35): SSL connect error for https://yum.oag.okta.com/prod/Drivers /8/x86_64/repodata/repomd.xml [OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connect ion to yum.oag.okta.com:443 ] Error: Failed to download metadata for repo 'oagProdDrivers': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
No issues were noticed through connectivity tests for yum.oag.okta.com on port 443.
Applies To
- Okta Access Gateway (OAG)
- Upgrade Or Install Package
Cause
Firewall rules are blocking HTTPS connectivity to yum.oag.okta.com.
NOTE:
- OAG yum repository has no allowlist to enable connectivity to a specific appliance.
- Connectivity tests only checks if the host is listening on a specific port and it does not perform a TLS handshake.
- Curl tests can be used to check the actual result from the TLS handshake.
Solution
Make sure firewall rules are set correctly as described in documentation for Access Gateway updates i.e the appliance must be able to connect to yum.oag.okta.com over TCP/HTTPS.
