The x509 certificate error occurs when Terraform cannot verify the SSL/TLS certificate of a server. This typically happens with self-signed certificates, custom CAs, or corporate proxies. Resolve by adding the certificate to your system's trust store or configuring Terraform to recognize the CA.
An x509 certificate error indicates a failure in the SSL/TLS certificate verification process. X.509 is the standard format for digital certificates. Terraform verifies the certificate chain of any server it connects to—whether that's Terraform Cloud, a backend state server, or an API endpoint. When Terraform encounters a certificate it cannot verify, it refuses the connection to protect against man-in-the-middle attacks. The error means either: (1) the certificate was signed by an untrusted Certificate Authority (CA) that is not in your system's trust store, (2) the certificate chain is incomplete, (3) the certificate is self-signed, (4) the certificate has expired, or (5) a corporate proxy is intercepting the connection with its own certificate.
First, determine which certificate is failing verification. Run Terraform with verbose logging to see the hostname:
TF_LOG=DEBUG terraform initLook for the server hostname in the error message. Then examine its certificate:
# For a web server
openssl s_client -connect example.com:443 -servername example.com < /dev/null | openssl x509 -text -noout
# For Terraform Enterprise
openssl s_client -connect tfe.company.com:443 < /dev/null | openssl x509 -text -nooutNote the "Issuer" field in the certificate output. If it says your organization or contains "CN=.*Internal", it's a custom or self-signed certificate.
If the certificate was issued by a custom CA, you need to obtain the root CA certificate. Common ways to do this:
From a server with the certificate:
# Export the certificate chain
openssl s_client -connect example.com:443 -showcerts < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca-bundle.crtFrom your organization's certificate store:
Ask your IT department for the root CA certificate or intermediate CA certificate in PEM format.
From Terraform Enterprise admin UI:
If using Terraform Enterprise, you can often export the certificate from the Replicated admin console on port 8800.
Copy the CA certificate to the system's CA directory and update the trust store:
# Copy the certificate
sudo cp ca-bundle.crt /usr/local/share/ca-certificates/custom-ca.crt
# Ensure proper permissions
sudo chmod 644 /usr/local/share/ca-certificates/custom-ca.crt
# Update the trust store
sudo update-ca-certificatesVerify the update succeeded:
ls -la /etc/ssl/certs/ | grep custom-caOn macOS, use the security command to add the certificate to Keychain:
# Convert PEM to DER if needed (some tools require DER)
openssl x509 -inform PEM -in ca-bundle.crt -outform DER -out ca-bundle.cer
# Add to System Keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca-bundle.crt
# Or for current user only
security add-trusted-cert -d -r trustRoot ca-bundle.crtNote: If you see "The certificate is not trusted" dialog, click "Always Trust" to add it to the keychain.
On Windows, use the certutil command or Certificate Manager:
Via Command Prompt (admin):
certutil -addstore -f "ROOT" ca-bundle.crtVia Certificate Manager GUI:
1. Press Win+R and type mmc
2. Click File → Add/Remove Snap-in
3. Select "Certificates" and click Add
4. Choose "Computer Account" (for system-wide) or "My user account" (for current user)
5. Navigate to Certificates → Trusted Root Certification Authorities
6. Right-click and select "All Tasks" → "Import"
7. Browse to your CA certificate file and complete the import wizard
After adding the certificate to the trust store, verify it works:
# Test with OpenSSL
openssl verify -CAfile ca-bundle.crt -untrusted ca-bundle.crt ca-bundle.crt
# Or for a remote server
openssl s_client -connect example.com:443 -CAfile ca-bundle.crt -servername example.comThen retry your Terraform command:
terraform init
terraform planTerraform Enterprise with Custom TLS:
If you run Terraform Enterprise with a custom TLS certificate, all workers and CLI clients must have the Terraform Enterprise CA in their trust store. This is configured on the Replicated admin console (port 8800) under Settings → SSL/TLS Configuration. Certificates must be PEM-encoded.
Corporate Proxy Interception:
Some corporate security tools (like Zscaler) use a technique called "SSL/TLS inspection" where they intercept connections and present their own certificate signed by a corporate CA. If you get x509 errors only behind your corporate firewall, this is likely the cause. Ask your IT/security team for the corporate CA certificate bundle.
System Clock Issues:
If certificates appear invalid even though the chain is correct, verify your system clock is accurate. Use NTP to sync:
# Linux
timedatectl set-ntp true
sudo ntpdate -s time.nist.gov
# macOS
sudo sntp -sS time.apple.comOffline Mode / Air-Gapped Environments:
In offline Terraform Enterprise installations or air-gapped networks, you may need to manually download and configure CA certificates. Refer to the offline deployment guide in your Terraform Enterprise documentation.
Debugging Certificate Chains:
To see the full certificate chain that a server presents:
openssl s_client -connect example.com:443 -showcerts -servername example.comThe output shows the end-entity certificate first, followed by intermediate certificates, ending with the root CA.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform