Issues with custom domain

I’ve followed the directions here

https://developer.okta.com/docs/guides/custom-url-domain/overview/

but it’s not completely working.

I’ve enabled custom domain and when I go to the log in page I do see my changes, the company name there. The url is still dev-xxxx.okta/etc

I’ve replaced my domain below with the word “example”.

If I manually change the url to login.example.com/ and leave the rest of the url alone and hit enter, it will refresh the page to https://login.example.com.

I can successfully log in to my app that’s hosted on AWS under demo.example.com

My understanding is if I want the app to go to login.example.com when it’s redirected to the login page I need to update the okta.oauth2.issuer entry from

https://dev-1234.okta.com/oauth2/default to

https://login.example.com/oauth2/default

If I do this, the login page will display fine, and the url will be https://login.example.com

with nothing after the “.com”.

After I enter a valid user / password I get an error

[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for “https://login.EXAMPLE.com/oauth2/default/v1/token”: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I updated the Authorization Server, I only have 1 entry to
Issuer : Custom URL (https://login.example.com/oauth2/default)
Metadate URI : https://login.example.com/oauth2/default/.well-known/oauth-authorization-server

Not sure what else I need to change.

Under the Settings tab of that authorization server did you update the issuer dropdown?

Yes, it’s set to https://login.example.com/oauth2/default
and ‘example’ is my proper domain

And what happens if you use a new Authz Server instead of the default?

All the steps and the error I got is described above. I don’t know what else I can clarify.
Suggestions welcome on what else I can try to make this work.
thanks

Hi @Vladimir

If you add the custom domain that you’ve set up (eg. login.example.com) under https://www.sslshopper.com/ssl-checker.html, what details does it provide?

SSL checker showed there was a problem with the certificate chain. Certificate chain is “Optional” in the Okta custom domain setup screen so I did not enter it.

I’ve re-entered my certificate including the Certificate Chain and it works now.
thanks for your help
Vladimir

2 Likes

I had to renewed the cert for our Okta custom URL and app owners started reporting issues with the apps calls. The issue was that the optional cert chain parameter wasn’t populated.
After updating the cert chain the issue has been resolved.
You post helped me resolve the issue. Thank you !