diff --git a/apps/emqx_auth_ext/src/emqx_auth_ext_tls_const_v1.erl b/apps/emqx_auth_ext/src/emqx_auth_ext_tls_const_v1.erl
index ed95b8270..1abc5c2a4 100644
--- a/apps/emqx_auth_ext/src/emqx_auth_ext_tls_const_v1.erl
+++ b/apps/emqx_auth_ext/src/emqx_auth_ext_tls_const_v1.erl
@@ -10,7 +10,12 @@
     make_tls_verify_fun/2
 ]).
 
+-export([default_root_fun/1]).
+
 -include_lib("public_key/include/public_key.hrl").
+
+-define(unknown_ca, unknown_ca).
+
 %% @doc Build a root fun for verify TLS partial_chain.
 %% The `InputChain' is composed by OTP SSL with local cert store
 %% AND the cert (chain if any) from the client.
@@ -109,3 +114,8 @@ ext_key_opts(Str) ->
         end,
         Usages
     ).
+
+%% @doc default root fun for partial_chain 'false'
+-spec default_root_fun(_) -> ?unknown_ca.
+default_root_fun(_) ->
+    ?unknown_ca.
diff --git a/apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl b/apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl
index 4e64a19a2..a0ddba8fd 100644
--- a/apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl
+++ b/apps/emqx_auth_ext/src/emqx_auth_ext_tls_lib.erl
@@ -13,13 +13,12 @@
 -include_lib("emqx/include/logger.hrl").
 
 -define(CONST_MOD_V1, emqx_auth_ext_tls_const_v1).
--define(unknown_ca, unknown_ca).
 %% @doc enable TLS partial_chain validation
 -spec opt_partial_chain(SslOpts :: map()) -> NewSslOpts :: map().
 opt_partial_chain(#{partial_chain := false} = SslOpts) ->
     %% For config update scenario, we must set it to override
     %% the 'existing' partial_chain in the listener
-    SslOpts#{partial_chain := fun(_) -> ?unknown_ca end};
+    SslOpts#{partial_chain := fun ?CONST_MOD_V1:default_root_fun/1};
 opt_partial_chain(#{partial_chain := true} = SslOpts) ->
     SslOpts#{partial_chain := rootfun_trusted_ca_from_cacertfile(1, SslOpts)};
 opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) ->