docs(dev-portal): note lua_ssl_verify_depth for Auth0 DCR on self-managed data planes#5871
Open
HenriPro wants to merge 1 commit into
Open
docs(dev-portal): note lua_ssl_verify_depth for Auth0 DCR on self-managed data planes#5871HenriPro wants to merge 1 commit into
HenriPro wants to merge 1 commit into
Conversation
✅ Deploy Preview for kongdeveloper ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
b75fd69 to
0799434
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds documentation to the Auth0 DCR how-to to help users running self-managed (hybrid) data planes troubleshoot and fix TLS verification failures when validating tokens against Auth0, by pointing them to the relevant kong.conf TLS verification settings.
Changes:
- Added a new
{:.warning}callout describing the TLS handshake failure scenario for Auth0 on self-managed data planes. - Documented the recommended
kong.confadjustments (lua_ssl_verify_depthandlua_ssl_trusted_certificate) and clarified that Konnect-managed data planes are not impacted.
cebea6d to
6954602
Compare
…aged DPs Auth0 certificates issued by Let's Encrypt present a certificate chain with multiple intermediate CAs, which exceeds the default lua_ssl_verify_depth of 1. With certificate verification enabled by default in Gateway 3.14+, the TLS handshake to the Auth0 issuer fails when self-managed data planes validate tokens. Add a warning to the Auth0 DCR how-to explaining the fix (raise lua_ssl_verify_depth and ensure lua_ssl_trusted_certificate includes system).
6954602 to
4ee71be
Compare
Mierenga
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Adds a warning to the Auth0 DCR how-to explaining a TLS verification failure that self-managed (hybrid) data planes hit when validating tokens against Auth0.
Why
Auth0 now issues certificates via Let's Encrypt, whose certificate chain has multiple intermediate CAs:
This is deeper than Kong Gateway's default
lua_ssl_verify_depthof1. Combined with certificate verification being enabled by default in Gateway 3.14+, the TLS handshake to the Auth0 issuer fails when a self-managed data plane connects to validate tokens.The fix documented
lua_ssl_verify_depthto a value that accommodates the full chain (e.g.5, leaving headroom).lua_ssl_trusted_certificateincludessystemso the root CA is trusted.Follows the same house-style
{:.warning}pattern as the existing Azure SMTP note.Notes for reviewer
make valelocally (toolchain not installed); the prose mirrors an existing note, but please let CI/vale confirm.5for headroom; open to aligning with the2used in the Azure SMTP doc if preferred.