Manually adding a Let’s Encrypt certificate to my Okta custom domain using certbot locally


Massive caveat: Currently (24 July 2020) Okta does not support automatic Let’s Encrypt certificates and renewals for custom domains. So I’ll have to do this <= 89 days from now again. Which is why I’m writing it down. Ideally this post will not be needed soon because Okta will set up one click, auto renewing Let’s Encrypt certificates for its custom domains.

Also this is how the way I did it, not the one and only way to do it.

I set up the custom domain, id.porchy.co.uk, following the steps in the Enable the custom domain guide for Okta. The following is for the “Add security certificate” step.

  1. Install certbot using Homebrew or however you install these things on your computer: brew install certbot This takes a long time! Go make a cup of tea, read a book, watch the heat death of the universe. Also do Step 2. (This is a one-off step, if you have certbot installed, skip it.)
  2. Get ready to update your DNS records for the domain, find your login, that sort of thing.
  3. Run sudo certbot certonly --manual --preferred-challenges dns This tells certbot we’re making a manual certificate and want the domain verification to be via dns. (Usually it’s a file at the web root but we can’t do that on our Okta domain.) Answer the prompts using the custom domain you set up for Okta.
  4. It will tell you a TXT record to create for verification. Do this now then continue. Verification worked right away for me, I’m not sure of the process if it doesn’t for you.
  5. Note where the certificates are located (the comments in your terminal from the generation of the certificate will tell you) and cat that file, eg sudo cat /path/to/fullchain.pem and copy the top certificate into the top box on the Okta form (keeping -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
  6. Do the same for the private key. Cat the file and copy the contents into the private key field.
  7. I skipped the “chain” field and it worked fine.
  8. You’re done! Click the button to continue.

Figuring out what to do was the difficult bit in all of this, doing it was straightforward for me and perhaps this time. Good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *

By submitting this comment, you are agreeing to the use of Akismet which helps reduce spam. You can view Akismet’s privacy policy here. Your email, website and name are also stored on this site.