Skip to content

Self-Signed TLS

Production Terraform Enterprise and HCP Terraform deployments typically use certificates your system already trusts — no extra configuration is required.

This page is for a narrower case: local development and testing, where TFE may run with a self-signed certificate or a private CA that is not installed on your machine (for example a local.tfe.rocks dev instance). In that situation, TFx API calls can fail with:

tls: failed to verify certificate: x509: certificate signed by unknown authority

TFx can skip TLS certificate verification in those environments. This is off by default — you must opt in explicitly.

Add ssl_skip_verify = true to the profile block in ~/.tfx.hcl:

profile "local" {
hostname = "local.tfe.rocks"
organization = "org-alpha"
token = "your-token"
ssl_skip_verify = true
}

When the key is absent, TFx treats it as false and performs normal certificate verification.

Use the profile as usual:

Terminal window
tfx varset list --profile local
tfx --profile local # TUI

ssl_skip_verify is preserved when you re-authenticate with tfx login on an existing profile — you do not need to set it again after updating a token.

One-off CLI flag

For a single command without editing the config file:

Terminal window
tfx workspace list --profile local --ssl-skip-verify

Environment variable

Set TFE_SSL_SKIP_VERIFY when you need skip-verify before a profile exists (for example during the first tfx login against a self-signed host):

Terminal window
export TFE_SSL_SKIP_VERIFY=true
tfx login local.tfe.rocks

You can combine it with a profile that already has ssl_skip_verify = true:

Terminal window
TFE_SSL_SKIP_VERIFY=true tfx varset list --profile local

Configuration precedence

When multiple sources are set, the highest-precedence source wins:

  1. CLI flag--ssl-skip-verify
  2. Environment variableTFE_SSL_SKIP_VERIFY
  3. Profile valuessl_skip_verify in .tfx.hcl
  4. Defaultfalse

Before enabling ssl_skip_verify, consider installing the certificate in your system trust store. TFx uses the same trust store as other HTTPS clients — once the CA or cert is trusted, no skip-verify setting is needed.

For local development, tools like mkcert can issue certificates your machine trusts by default. That is the safer long-term approach for repeated dev work against a local TFE instance.