Introduction
After starting Terraform Enterprise (TFE), you may encounter the following error when accessing the default URL:
400 Bad Request
The plain HTTP request was sent to HTTPS portProblem
Terraform Enterprise is receiving HTTP traffic on an HTTPS port, causing the application to reject the request.
Cause
This issue occurs when TLS termination happens before the traffic reaches the Terraform Enterprise instance — for example, if a load balancer or routing layer terminates HTTPS and then forwards unencrypted HTTP traffic to TFE’s HTTPS listener.
Solutions:
Verify your routing configuration to ensure that TLS is not terminated before reaching Terraform Enterprise, or that it is properly re-encrypted before being forwarded.
Example: OpenShift Route Configuration
In an OpenShift environment, the following route configuration can cause the issue:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: tfe-route
namespace: terraform-enterprise
spec:
host: tfe.example.com
to:
kind: Service
name: tfe-service
weight: 100
port:
targetPort: https
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: NoneWith termination: edge, OpenShift terminates TLS and forwards unencrypted HTTP traffic to the TFE service’s HTTPS port, resulting in the 400 Bad Request error.
To resolve the issue, update your route configuration to use one of the following options:
Option 1: Passthrough Termination
Allows TLS traffic to pass directly to Terraform Enterprise without termination.
tls:
termination: passthrough
wildcardPolicy: None
Option 2: Re-encrypt Termination
Terminates TLS at the router, then re-encrypts traffic before sending it to TFE.
tls:
termination: reencrypt
destinationCACertificate: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
wildcardPolicy: None
Outcome
After applying the correct TLS configuration, Terraform Enterprise should become accessible via HTTPS and display the login page as expected.