I have had this issue where one of the certs had expired. In $SPLUNK_HOME/etc/auth/idpCerts, splunk creates a folder called idpCertChain_1 where it breaks apart the cert you pasted (IdP certificate chains--these are the signing certs from your SSO provider--this can often be found in a metadata file from the provider or sometimes they just outright have a way for you to download it) from the setup into various certs and calls them cert_1.pem, cert_2.pem, ... etc. cert_1.pem is the root CA, cert_2.pem would be an issuing CA if applicable--if not would be the main cert from the IdP (fancy name for single sign on provider). You can check the certs out using $SPLUNK_HOME/bin/splunk cmd openssl x509 -noout -text -in cert_1.pem to see when it expires, adding -endate will print that line last like so:
$SPLUNK_HOME/bin/splunk cmd openssl x509 -noout -text -in $SPLUNK_HOME/etc/auth/idpCerts/idpCertChain_1/cert_1.pem -enddate
Updating the cert with one that was not expired fixed the issue in my case.
... View more