VladimirB.45940 (Customer) asked a question.
I am being pestered with this problem for the 2nd time in 3 months and now I am losing my patience. I did post he answer to this problem three months ago : https://support.okta.com/help/s/question/0D5KZ00000jeUE10AM/domain-being-in-pending-status?language=en_US
However, this time , after repeating these steps 5 or more times, situation has not changed. In my Rt53, CNAME record has a key: *.mydomain.com and value as provided by okta.. There is TXT record that points to _octaverification. and I do have A record that has a key: login.mydomain.com with value of IP that is associated with my running EC2 instance.
My application is down, since it is pointing to the expired certificate. The only way to move out from pending state is to change CNAME key . login.mydomain.com. This is as dumb as it gets, since now after login, user is on the Okta's user page. Just to make it even "nicer", now I cant have A record pointing to login.mydomain.com.
My question is: What had changed on Okta side that domain with CNAME *.mydomain.com can't be no longer verified?
As a sanity check, ssl certs are in the right place, created by Certbot and in the correct directory. What is possibly wrong? This is costing me money by being down whole week.
The whole problem is why CNAME record with wild-card is all a sudden unverifiable? What is the workaround this problems, since I can't have two entries in the Rt53 with the same key.
I am not a devops person. I can make that CNAM be login.mydomain.com. That will resolve in 5 minutes. My certs are set for login.mydomain.com and conf.d directory has entry to serve secure traffic on 443 with location of certificates. What happens now with my A record? It obviously has to be something else than login.mydomain.com. Would that imply new entry in conf.d directory to address this issue? would I need another secure certificate now for that altered A record?
I checked DNS propagation with DNS checker: https://dnschecker.org/
I can see CNAME record with *.login.mydomain.com. However, Okta domain verification is still in the pending state.
Hi @VladimirB.45940 (Customer) , Thank you for reaching out to the Okta Community!
The only other thing that I've seen reported is issues being caused by a Network Settings or if the admin/user has VPN active when accessing the custom domain URL or the Domain page under the Brand.
When accessing the custom domain URL or the Domain page under the Brand a GET call is being made behind that verifies the connection between the Domain and Okta. If any of these connection is blocked, this will result in a fail call.
The responses may be a message error "The page is not available" when accessing the URL, or when accessing the Domain status page from the Admin Dashboard and Brand as "Pending".
If you are using VPN you could try the following:
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Mihai:
Thank you for your response. I am not running behind the VPN. I have not experienced any custom domain verification issues in 5 years until last week. This in Ann EC2 instance that runs in the AWS and this is the first time that I am experiencing this validation issues
Vladimir N. Bajic

[Redacted by Moderator]
Moreover, this behavior happened on August 9, when I have updated my secure certificate form my domain. There were no issues with validating old certificate.
Vladimir N. Bajic

This is what I do not understand:
If I put in my CNAME
login.mycustomdomain.com
, that custom domain resolution stops being in pending mode asap. My application does not serves its content.
If I have in my CNAME *.
mycustomdomain.com
as of August 9, my domain sits in pending status. This has been a setup for the past 6 years with two different cloud providers
Vladimir N. Bajic

[Redacted by Moderator]
The problem does not seem to be a change from Okta, rather a conflict in your DNS records, likely triggered by your recent certificate update.
A CNAME record must be the only record for a specific host. You have a wildcard CNAME (*.mydomain.com) and a more specific A record for login.mydomain.com. Because the A record takes precedence, Okta's verification process, which looks for a CNAME on login.mydomain.com, fails.
This conflict seems to be the core issue. Your test, where changing the CNAME to login.mydomain.com works immediately, seems to confirms this. You can't have both a wildcard CNAME and a specific A record for the same host.
You should try dedicating login.mydomain.com to Okta. The correct approach might be to:
By keeping your Okta authentication and application on separate subdomains, you'll should resolve the DNS conflicts and get everything working again.
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Here is my question? Why this happened all a sudden?This worked fro 6 years and now is not working anymore. How will my authentication now point to my app, when I change my A record to app.alumsum.com and my CNAME to login.alumsum.com
. What other configuration changes will I have to make?
Vladimir N. Bajic

[Redacted by Moderator]
We can provide general guidance and documentation, but in-depth troubleshooting is outside of the Okta Community forum scope.
Free trial/developer/integrator orgs are not intended for production purposes. If you have a different paid account, I would recommend using it to open a ticket with the Okta Support team to go over the matter with them.
If you are an application vendor trying to implement a new app to be published to the Okta Integrations Network, please review the following process documentation to identify the appropriate support option.
Publish an OIN integration
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
I would suggest opening a ticket with Okta Support (https://support.okta.com ). I have had good luck with them addressing these one off cases.
That would be optimal solution, but I am not on paid tier, thus I can’t open a support ticket.
Vladimir N. Bajic

[Redacted by Moderator]