Receiving the below error in the Okta System logs when configuring an Inline/Event hook or System for Cross-domain Identity Management (SCIM) Provisioning.
"error authenticating the PKIX path building failed, sun.security.provider.certpath.suncertpath builder exception : unable to find valid certification path to requested target"
- Inline hooks
- Event hooks
- System for Cross-domain Identity Management (SCIM) Integration
When Okta makes an SSL connection to an external server Okta expects for the Server to return the full x509 Certificate Chain minus the Root Certificate. Servers that are configured to only return the top level certificate, or are missing one of the intermediaries in the chain may result the PKIX path building error above.
The target server should properly return the full x509 Certificate Chain minus the Root Certificate. To view the full Certificate Chain, most browsers offer a way to display it.
Browsers and devices often store intermediary certificates, so even if the server is not properly returning the full chain, the browser will be able to complete the chain of trust.
The results of the browser can then be compared with the chain the server is returning. Using a tool such as cURL or OpenSSL can be used for this.
Without SNI:
openssl s_client -showcerts -connect www.example.com:443 </dev/nullWith SNI:
openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null
Okta only adds CA Root Certificates to our processes' trust stores. No self-signed certificates. Most valid Root Certificates are already present, but there are times when the server is correctly returning the trust chain, but the Okta trust store does not contain the necessary Root CA. If this is the case, open a support case to have it added.
