Connections to onion sites are already encrypted through the onion routing process. The unencrypted http connection only goes to your own node (localhost). So there is no need for TLS/https encryption.

Also, onion sites usually don't have TLS certificates, because this would mean they had to register at a certificate authority, which would undermine the anonymity of the node. Instead, they can be uniquely identified by the onion address. The onion address essentially is a public key, so nobody can forge the private key by brute force.  

 Normal. Onions are always encrypted by default.