Skip to content

docs(dev-portal): note lua_ssl_verify_depth for Auth0 DCR on self-managed data planes#5871

Open
HenriPro wants to merge 1 commit into
mainfrom
docs/auth0-dcr-tls-verify-depth
Open

docs(dev-portal): note lua_ssl_verify_depth for Auth0 DCR on self-managed data planes#5871
HenriPro wants to merge 1 commit into
mainfrom
docs/auth0-dcr-tls-verify-depth

Conversation

@HenriPro

@HenriPro HenriPro commented Jul 7, 2026

Copy link
Copy Markdown

What this does

Adds a warning to the Auth0 DCR how-to explaining a TLS verification failure that self-managed (hybrid) data planes hit when validating tokens against Auth0.

Why

Auth0 now issues certificates via Let's Encrypt, whose certificate chain has multiple intermediate CAs:

Depth 0: us.auth0.com                          (leaf)
Depth 1: Let's Encrypt intermediate CA
Depth 2: ISRG intermediate CA
Depth 3: ISRG Root X2                           (trusted root)

This is deeper than Kong Gateway's default lua_ssl_verify_depth of 1. Combined with certificate verification being enabled by default in Gateway 3.14+, the TLS handshake to the Auth0 issuer fails when a self-managed data plane connects to validate tokens.

The fix documented

  • Set lua_ssl_verify_depth to a value that accommodates the full chain (e.g. 5, leaving headroom).
  • Ensure lua_ssl_trusted_certificate includes system so the root CA is trusted.
  • Note that Konnect-managed data planes aren't affected.

Follows the same house-style {:.warning} pattern as the existing Azure SMTP note.

Notes for reviewer

  • I did not run make vale locally (toolchain not installed); the prose mirrors an existing note, but please let CI/vale confirm.
  • Recommended depth value is 5 for headroom; open to aligning with the 2 used in the Azure SMTP doc if preferred.

@HenriPro HenriPro requested a review from a team as a code owner July 7, 2026 20:42
Copilot AI review requested due to automatic review settings July 7, 2026 20:42
@netlify

netlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploy Preview for kongdeveloper ready!

Name Link
🔨 Latest commit 4ee71be
🔍 Latest deploy log https://app.netlify.com/projects/kongdeveloper/deploys/6a4d65ed78b6940008c00e36
😎 Deploy Preview https://deploy-preview-5871--kongdeveloper.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@HenriPro HenriPro force-pushed the docs/auth0-dcr-tls-verify-depth branch from b75fd69 to 0799434 Compare July 7, 2026 20:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds documentation to the Auth0 DCR how-to to help users running self-managed (hybrid) data planes troubleshoot and fix TLS verification failures when validating tokens against Auth0, by pointing them to the relevant kong.conf TLS verification settings.

Changes:

  • Added a new {:.warning} callout describing the TLS handshake failure scenario for Auth0 on self-managed data planes.
  • Documented the recommended kong.conf adjustments (lua_ssl_verify_depth and lua_ssl_trusted_certificate) and clarified that Konnect-managed data planes are not impacted.

Comment thread app/_how-tos/dev-portal/auth0-dcr.md Outdated
@HenriPro HenriPro force-pushed the docs/auth0-dcr-tls-verify-depth branch 2 times, most recently from cebea6d to 6954602 Compare July 7, 2026 20:46
…aged DPs

Auth0 certificates issued by Let's Encrypt present a certificate chain
with multiple intermediate CAs, which exceeds the default
lua_ssl_verify_depth of 1. With certificate verification enabled by
default in Gateway 3.14+, the TLS handshake to the Auth0 issuer fails
when self-managed data planes validate tokens.

Add a warning to the Auth0 DCR how-to explaining the fix (raise
lua_ssl_verify_depth and ensure lua_ssl_trusted_certificate includes
system).
@HenriPro HenriPro force-pushed the docs/auth0-dcr-tls-verify-depth branch from 6954602 to 4ee71be Compare July 7, 2026 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants