This article explores error messages in the Okta Verify logs that occur after an unsuccessful attempt to register an account in Okta Verify for Desktop:
X509ChainValidator.ValidateCertificateChain: Chain validation failed due to the following error(s): RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
X509ChainValidator.ValidateCertificateChain: Cert chain validation for CN=*.okta.com failed.
[CertificatePinningValidator.ValidateConnection]: Cannot validate certificate chain, validation failed.
ClientAccountManager.CheckOrganizationStatus: An error occured when getting the organization status. Exception: An error occurred while sending the request.: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.: The remote certificate is invalid according to the validation procedure.
For information on how to find the Okta Verify logs for review, see: Collect Okta Verify Logs from Desktop.
These errors happen when following the user account registration process outlined for Windows OS and macOS.
Common symptoms of these errors include:
- When the user enters their company's Okta subdomain, the browser fails to open and instead displays the company's Okta Sign-In Widget. The URL also disappears, hindering the registration process.
- Observing an error message banner in Okta Verify stating:
- Okta Verify Desktop
- Okta Identity Engine (OIE)
These errors are known to be caused by network proxies, traffic inspection, and firewalls not allowing Okta Verify traffic to pass as intended. In this instance, these errors indicate that Certificate Revocation checks have failed for the outbound communication. This can be caused by CRL checking or the network traffic itself failing to get outside the network.
To resolve these issues, Okta recommends allowlisting Okta in the network by integrating the following configurations and exceptions:
| Ports | The Okta service uses SSL/TLS for all communication. If the policy requires a port number, port 443 must be allow-listed for the IP addresses provided in this document unless otherwise noted. |
| Required Okta domains | If the company allow-list includes domains, add the following domains to the list of allowed domains:
|
| Content Delivery Network (CDN) | Okta static UI assets (JavaScript, CSS, and images) can be delivered to browsers through an international CDN for faster downloading of assets to customers outside of the USA.
For most firewall or proxy systems, Okta recommends specifying an allowlist of DNS addresses for Okta services so that outbound connections can be made. To learn more about IP address ranges that can be allow-listed for CDN, refer to this article from Amazon Web Services. |
| Certificate revocation troubleshooting | Various problems can arise when attempting to revoke a certificate. For example, some clients fail to connect to SSL/TLS endpoints when they're unable to reach a revocation server. If experiencing any trouble with certificate revocation, ensure that the following domain names are allow-listed under port 80: |
| Third-party services | Okta Mobile may require allowlisting of the following third-party domains for outbound connections to these services:
|
Related References
- For more details, reference the Allow-Listing configuration recommendations here: Allow access to Okta IP addresses.
