diff --git a/apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl b/apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl
index e858920e7..4e64a19a2 100644
--- a/apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl
+++ b/apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl
@@ -13,10 +13,13 @@
 -include_lib("emqx/include/logger.hrl").
 
 -define(CONST_MOD_V1, emqx_auth_ext_tls_const_v1).
-%% @doc enable TLS partial_chain validation if set.
+-define(unknown_ca, unknown_ca).
+%% @doc enable TLS partial_chain validation
 -spec opt_partial_chain(SslOpts :: map()) -> NewSslOpts :: map().
 opt_partial_chain(#{partial_chain := false} = SslOpts) ->
-    maps:remove(partial_chain, SslOpts);
+    %% For config update scenario, we must set it to override
+    %% the 'existing' partial_chain in the listener
+    SslOpts#{partial_chain := fun(_) -> ?unknown_ca end};
 opt_partial_chain(#{partial_chain := true} = SslOpts) ->
     SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)};
 opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) ->