Okta Access Gateway Upgrade Fails With "SSL_ERROR_SYSCALL" Error
Last Updated:
Overview
An Okta Access Gateway (OAG) upgrade or package installation fails with a Secure Sockets Layer (SSL) connect error because firewall rules block Hypertext Transfer Protocol Secure (HTTPS) connectivity to the repository. Configuring the firewall rules to allow the connection resolves the issue. When attempting to install a package or update the appliance, the following error occurs:
Errors during downloading metadata for repository 'oagProdDrivers':
- Curl error (35): SSL connect error for https://yum.oag.okta.com/prod/Drivers /8/x86_64/repodata/repomd.xml [OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connect ion to yum.oag.okta.com:443 ]
Error: Failed to download metadata for repo 'oagProdDrivers': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Connectivity tests for yum.oag.okta.com on port 443 show no issues.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta Access Gateway (OAG)
- Upgrades and Package Installations
Cause
Firewall rules block HTTPS connectivity to yum.oag.okta.com.
NOTE: The Okta Access Gateway yum repository has no allowlist to enable connectivity to a specific appliance. Connectivity tests only check if the host listens on a specific port and do not perform a Transport Layer Security (TLS) handshake. Curl tests verify the actual result from the TLS handshake.
Solution
How is the SSL connect error resolved during an upgrade?
Configure the firewall rules to allow the appliance to connect to the repository over TCP and HTTPS.
- Configure the firewall rules to allow the appliance to connect to
yum.oag.okta.comover Transmission Control Protocol (TCP) and HTTPS, as described in the Access Gateway updates Firewall and access requirements.
