KevinW.91496 (Customer) asked a question.
Language: Node.js + Express
After implementing a custom login domain using the instructions here (https://developer.okta.com/docs/guides/custom-url-domain/update-other-okta-settings/) and updating each app settings to use the new domain, the last step was to update the "issuer" field when defining the OpenID Connect client in my node.js application. When doing that, I get the following error:
UnhandledPromiseRejectionWarning: RequestError: unable to verify the first certificate
at ClientRequest.<anonymous> (C:\Users\*****\node_modules\got\source\request-as-event-emitter.js:178:14)
at Object.onceWrapper (events.js:422:26)
at ClientRequest.emit (events.js:327:22)
at ClientRequest.origin.emit (C:\Users\****\node_modules\@szmarczak\http-timer\source\index.js:37:11)
at TLSSocket.socketErrorListener (_http_client.js:469:9)
at TLSSocket.emit (events.js:315:20)
at emitErrorNT (internal/streams/destroy.js:106:8)
at emitErrorCloseNT (internal/streams/destroy.js:74:3)
at processTicksAndRejections (internal/process/task_queues.js:80:21)
The certificate is valid and if I access the custom domain URL via the browser there is no certificate error. If I return the issuer field back to the default, the error goes away. The only way I can get the application to use the custom URL is to add the environmental variable "NODE_TLS_REJECT_UNAUTHORIZED" = 0, which isn't safe long term for many reasons.
Any advice would be appreciated!
Hello Kevin,
This error can appear when the certificate used to create the custom domain does not contain an entire certificate chain. Try recreating the certificate and adding the entire chain, including the CA's root certificate.
If you still require assistance, please reach out to our Developer team on https://devforum.okta.com/
Thank You,
Radu Chiriac
Technical Support Engineer
Okta Global Customer Care