How to solve “400 Bad Request: The Plain HTTP Request Was Sent to HTTPS Port” in Terraform Enterprise

Avatar
Patrick Munne
  • Updated

Problem

After starting Terraform Enterprise (TFE), you may encounter the following error when accessing the application URL.

400 Bad Request
The plain HTTP request was sent to HTTPS port

Cause

This error occurs when TLS termination happens at a network layer before traffic reaches the Terraform Enterprise instance. For example, a load balancer or an OpenShift route may terminate HTTPS and then forward unencrypted HTTP traffic to the TFE instance's HTTPS listener, causing the application to reject the mismatched request.

An incorrect OpenShift route configuration is a common cause of this issue. The following configuration uses termination: edge, which terminates TLS at the router and forwards unencrypted traffic, leading to the error.

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: tfe-route
  namespace: terraform-enterprise
spec:
  host: tfe.example.com
  to:
    kind: Service
    name: tfe-service
    weight: 100
  port:
    targetPort: https
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect
    wildcardPolicy: None

Solutions

To resolve this issue, you must update your routing configuration to ensure traffic is encrypted when it reaches the Terraform Enterprise instance. The following options describe how to correctly configure an OpenShift route.

Option 1: Use Passthrough Termination

This approach allows encrypted TLS traffic to pass directly to the Terraform Enterprise instance without being terminated at the router. Update the tls block in your route configuration as follows.

tls:
  termination: passthrough
  wildcardPolicy: None

Option 2: Use Re-encrypt Termination

This approach terminates TLS at the router and then re-encrypts the traffic before forwarding it to Terraform Enterprise. This requires providing a destination CA certificate. Update the tls block in your route configuration as follows.

tls:
  termination: reencrypt
  destinationCACertificate: |
    -----BEGIN CERTIFICATE-----
    ## Add your destination CA certificate here.
    -----END CERTIFICATE-----
  wildcardPolicy: None

Outcome

After applying the correct TLS termination configuration in your routing layer, Terraform Enterprise should become accessible via its HTTPS URL and display the login page as expected.

Additional Information

For more details on network configuration, you may refer to the official Terraform Enterprise documentation on networking requirements and the OpenShift documentation for route configuration.

Articles in this section

See more

Related articles