Issues with custom domain

I’ve followed the directions here

https://developer.okta.com/docs/guides/custom-url-domain/overview/

but it’s not completely working.

I’ve enabled custom domain and when I go to the log in page I do see my changes, the company name there. The url is still dev-xxxx.okta/etc

I’ve replaced my domain below with the word “example”.

If I manually change the url to login.example.com/ and leave the rest of the url alone and hit enter, it will refresh the page to https://login.example.com.

I can successfully log in to my app that’s hosted on AWS under demo.example.com

My understanding is if I want the app to go to login.example.com when it’s redirected to the login page I need to update the okta.oauth2.issuer entry from

https://dev-1234.okta.com/oauth2/default to

https://login.example.com/oauth2/default

If I do this, the login page will display fine, and the url will be https://login.example.com

with nothing after the “.com”.

After I enter a valid user / password I get an error

[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for “https://login.EXAMPLE.com/oauth2/default/v1/token”: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I updated the Authorization Server, I only have 1 entry to
Issuer : Custom URL (https://login.example.com/oauth2/default)
Metadate URI : https://login.example.com/oauth2/default/.well-known/oauth-authorization-server

Not sure what else I need to change.

Under the Settings tab of that authorization server did you update the issuer dropdown?

Yes, it’s set to https://login.example.com/oauth2/default
and ‘example’ is my proper domain

And what happens if you use a new Authz Server instead of the default?

All the steps and the error I got is described above. I don’t know what else I can clarify.
Suggestions welcome on what else I can try to make this work.
thanks