OKTA003 - Okta TLS/SSL Certificate Error
Agent error code #OKTA003 indicates that the agent's TLS handshake with the configured Okta domain failed. The certificate presented by the endpoint could not be verified against the system trust store.
This error is distinct from connection failures (#OKTA000) and timeouts (#OKTA004). It indicates the TCP connection succeeded but the TLS layer rejected the certificate.
Common causes include:
- A TLS-intercepting proxy (corporate Zscaler, Netskope, Palo Alto, etc.) is sitting between the agent and Okta and re-signing the certificate with a CA the agent does not trust
- The system root CA bundle on the agent host is missing, outdated, or corrupt
- The agent host's system clock is significantly skewed, so the Okta certificate appears not-yet-valid or expired
Steps to Resolve
Verify the System Clock
- On the agent host, run
date -uand confirm the time is within a few seconds of UTC - If clock skew is more than a minute, enable NTP (
timedatectl set-ntp trueon most Linux distros) and re-sync
Inspect the Certificate Chain
- From the agent host, run:
openssl s_client -showcerts -connect <your-domain>:443 -servername <your-domain> </dev/null - Confirm the issuer chain ends at a publicly trusted root (DigiCert, Sectigo, etc.)
- If the chain shows a corporate CA, a TLS proxy is in the path. Either bypass it for
*.okta.comor install its root CA in the system trust store
Refresh the System CA Bundle
If the chain looks correct but verification still fails, the system CA bundle may be stale:
- Debian/Ubuntu:
apt-get install --reinstall ca-certificates && update-ca-certificates - RHEL/CentOS:
yum reinstall ca-certificates && update-ca-trust extract - Alpine:
apk add --no-cache ca-certificates && update-ca-certificates
For the full setup, see the Okta setup guide.
Still Having Issues?
We can help you out, contact us at support@knocknoc.io.