Okta Workflows Raw Request card shows a failure when connecting to an existing working application in Okta Access Gateway. No issues were observed when accessing the same through the browser or Postman. An error similar to the one below can be noticed when running the flow: 

• Okta Workflows
• Okta Access Gateway

If the application server does not have the complete certificate chain configured, then most browsers will 'patch' those gaps in the certificate while rendering.

However, the Raw Request card does not behave the same way. It expects the complete certificate chain for TLS to work. When the complete certificate chain is not presented, the workflow will show a failure, as shown in the screenshot above.

curl can be used to validate if the complete chain is presented by the application, as shown below. Here, the output shows an issue with the certificate chain: 

$$ curl -kv https://<application_domain>
<output redacted>
*  SSL certificate verify result: unable to get local issuer certificate, continuing anyway.
<output redacted>

When the complete chain is presented, then curl will show the below output for SSL verification: 

*  SSL certificate verify ok.

Make sure the complete certificate chain is configured on the application server and curl returns an "ok" message for SSL verification. In case the application is hosted in Okta Access Gateway, then application certificate can be uploaded again with the complete chain using the format shown here.