Self-Signed TLS
Production Terraform Enterprise and HCP Terraform deployments typically use certificates your system already trusts — no extra configuration is required.
This page is for a narrower case: local development and testing, where TFE may run with a self-signed certificate or a private CA that is not installed on your machine (for example a local.tfe.rocks dev instance). In that situation, TFx API calls can fail with:
tls: failed to verify certificate: x509: certificate signed by unknown authorityTFx can skip TLS certificate verification in those environments. This is off by default — you must opt in explicitly.
Profile setting (recommended)
Add ssl_skip_verify = true to the profile block in ~/.tfx.hcl:
profile "local" { hostname = "local.tfe.rocks" organization = "org-alpha" token = "your-token" ssl_skip_verify = true}When the key is absent, TFx treats it as false and performs normal certificate verification.
Use the profile as usual:
tfx varset list --profile localtfx --profile local # TUIssl_skip_verify is preserved when you re-authenticate with tfx login on an existing profile — you do not need to set it again after updating a token.
One-off CLI flag
For a single command without editing the config file:
tfx workspace list --profile local --ssl-skip-verifyEnvironment variable
Set TFE_SSL_SKIP_VERIFY when you need skip-verify before a profile exists (for example during the first tfx login against a self-signed host):
export TFE_SSL_SKIP_VERIFY=truetfx login local.tfe.rocksYou can combine it with a profile that already has ssl_skip_verify = true:
TFE_SSL_SKIP_VERIFY=true tfx varset list --profile localConfiguration precedence
When multiple sources are set, the highest-precedence source wins:
- CLI flag —
--ssl-skip-verify - Environment variable —
TFE_SSL_SKIP_VERIFY - Profile value —
ssl_skip_verifyin.tfx.hcl - Default —
false
Alternatives (recommended)
Before enabling ssl_skip_verify, consider installing the certificate in your system trust store. TFx uses the same trust store as other HTTPS clients — once the CA or cert is trusted, no skip-verify setting is needed.
For local development, tools like mkcert can issue certificates your machine trusts by default. That is the safer long-term approach for repeated dev work against a local TFE instance.