How to avoide SSL verification

I have known that terraform must work with https.
And I have build a terraform private registry work with http

However ,it’s difficult to me to access a trusted ssl cert.

I think update source code and build a terraform will be useful,
so that I want to know Which file to update in terraform source code.
Just let me run terraform init to download modules.

following pic is the error screenshot:

After run ngrok, seems also need to do something

Try to use insecure = true in configuration provider.

Hi @781058829,

This particular error message seems to suggest that the server isn’t correctly implementing the TLS protocol at all. This is not the error message I would expect for an untrusted TLS certificate.

Are you sure that this server is configured to use TLS? I wonder if it’s expecting a plain HTTP connection instead of an HTTPS connection, and so it’s responding with some kind of HTTP error instead of with a valid TLS handshake response.

One way to check this would be to use a packet capture tool like Wireshark to observe exactly what data is being sent to and from this server when Terraform runs.

It is true that you will need to have a TLS certificate that is trusted on the computer where you are running Terraform. You can add your own private trust root to your system if you intend to use a certificate you’ve signed yourself, instead of using a public certificate authority. The exact details of that vary depending on your operating system.

However, I don’t think an untrusted certificate is the most likely cause for the error message you’ve shared here, as I described above. Therefore I would not suggest trying to set up internal certificate trust yet, until you’ve confirmed that your server is configured to accept HTTPS connections at all.

Hello @apparentlymart

this is the error after configure self-signed ssl cert,

after add cert.crt to /usr/local/share/ca-certificates && run update-ca-certificates

could you give me some suggestions

many thanks

Hi @781058829,

In the last error message you shared, the most important part is the end of the message:

error downloading https://localhost:8000/modules/my-tf-application__sbx/vnet/azurerm/1.0.0: bad response code: 401

“401” is the HTTP response code for Unauthorized. The fact that Terraform recieved that error suggests that you’ve successfully configured your TLS certificate trust, because the TLS handshake must have completed successfully in order for any HTTP-level error to be returned. You now have a new problem, separate from the one you originally asked about.

One thing I’ve noticed about the screenshot you shared is that it says it was downloading a module from an HTTPS URL directly:

Downloading https://localhost:8000/modules/my-tf-application__sbx/vnet/azurerm/1.0.0 for test...

That suggests that you’ve specified an HTTPS URL in the source argument of this module block, instead of a module registry source address.

If you intend to use the module registry protocol then you will need to specify the module to install using the module registry address syntax, like this:

module "test" {
  source  = "localhost:5000/my-tf-application__sbx/vnet/azurerm"
  version = "1.0.0"

  # ...

For the above to work, some additional things will need to be true:

  • Your server must have a Remote Service Discovery document specifying the base URL of the module registry endpoints for this host.

    Specifically, https://localhost:5000/.well-known/terraform.json should return the following JSON:


    This tells Terraform that modules belonging to the localhost:5000 hostname should be requested using URLs under https://localhost:5000/modules/, which matches the URL scheme you’ve shown in your screenshots.

  • Your server seems to require an authentication token (“401” here means the HTTP 401 Unauthorized error code), and so you’ll need to add a credentials block in your CLI Configuration specifying the authentication token to use:

    credentials "localhost:5000" {
      token = "EXAMPLE-TOKEN"

Thanks for your answer first

the docker container running at port 8000 has been configure with self-signed cert, when I login it show do not support create token, any way else to get token ?

For a server you’ve implemented yourself, I can’t know what would be a suitable way to generate a token for it.

However, if you follow what I suggested earlier and manually configure credentials in your CLI configuration then you won’t need to use terraform login. That command just automates the creation of the same credentials block in the CLI Configuration, so if you manually add that block then you don’t need to run the login command.

If you do want to make the terraform login command work on your hostname then you will need to implement this additional protocol and announce it in the terraform.json file: