How to Safely Use cURL to Ignore SSL Errors: A Complete Guide

SSL (Secure Sockets Layer) certificates are a way for browsers to verify the authenticity of a website. An invalid SSL certificate will almost always result in an error message, warning the user not to proceed further (although some browsers may provide means to do so).

Additionally, when SSL certificate errors happen, that also indicates that the browser cannot properly encrypt data through the HTTPS protocol. Both of these are serious issues, both on the browser and the server end.

While they usually shouldn’t be ignored, there’s sometimes a good reason to bypass SSL certificate validation. For example, a website may be known, trusted, but simply had the certificate expire.

Understanding cURL and SSL

Most people will be familiar with the concept of an SSL certificate through a common error message that pops up when connecting to a website through a browser. SSL certificate errors, however, can happen through many different connection methods that work through HTTPS.

HTTPS implements various encryption methods such as SSL or TLS (Transport Layer Security) to ensure that no one can intercept traffic. So, when such methods fail, most browsers and other connection methods throw out errors to inform the user.

You can also be faced with SSL errors when using cURL . It’s a command-line tool that can work over numerous network protocols. Whenever you send a request through the HTTPS network protocol, cURL automatically attempts to validate the SSL certificate of a website.

When cURL can’t establish a secure connection due to SSL certificate errors, you’ll usually get an error message resembling the one below:

curl: (60) SSL certificate problem: unable to get local issuer certificate

Since an SSL connection is an important part of HTTPS, cURL defaults to terminating the connection. Sometimes, however, you may want to start ignoring SSL certificate checks when using cURL for advanced use cases .

Reasons to Disable SSL Verification

While less tech-savvy users should always avoid ignoring SSL certificate checks, someone who knows what they’re doing can be completely safe in doing so.

One of the most common reasons to ignore SSL certificate errors is if a known and trusted website has had its certificate expire. SSL certificates don’t last forever, so sometimes administrators will forget to renew them, causing the error message.

In that case, ignoring SSL certificate errors is perfectly fine. Such an action won’t even need to be done for long, as most well-known websites will quickly fix the SSL certificate issue.

Another reason to disable SSL certificate errors is for testing purposes. If you’re a website administrator, you can surely ignore any SSL certificate errors as you know with certainty that your own website is legitimate.

Finally, you can also ignore SSL certificate errors when debugging a website, particularly for something that has to do with SSL itself.

How Do I Ignore SSL Certificate Errors in cURL?

You can use cURL to ignore SSL with a single command. There’s a specific cURL flag you need to set – “-k” or “–insecure”. Using such a cURL command will tell the tool to ignore any security checks (those of SSL in particular):

curl -k https://example.com

Note that the HTTPS prefix is important as there’s no SSL verification otherwise. In such a case, the flag would be redundant.

As with any other command, the cURL ignore SSL flag can be combined with almost any other. You can send, for example, a POST request while using the cURL ignore SSL errors flag at the same time:

curl -k -X POST -H "Content-Type: application/json" -d '{"key":"value"}' https://example.com/api

There’s plenty of other things you can do while the flag is set, such as send GET requests , use cURL proxies , and much more.

Both examples will skip verification by telling cURL to ignore certificate validation. These flags, however, should be used sparingly, as you won’t be establishing a secure connection.

How to Bypass SSL Without Disabling Security Checks?

Most such strategies revolve around manually implementing certificates to bypass external SSL verification. None of these are great if you’re connecting to a website you don’t own or manage, but they can come in handy when you’re testing or debugging.

First, you can always add a self-signed certificate to your local CA store. Your local CA store is a way to avoid triggering the invalid SSL certificate error. All OS have the local CA store wherein the system checks if a certificate exists and, if it does, considers it a valid SSL certificate.

On the other hand, you can use an SSL proxy to terminate any certificate verification. Instead of having the client communicate directly with the server, the proxy manages the client’s and server’s responses.

You don’t need to use any cURL command to avoid the error in such a case. The proxy itself terminates SSL by decrypting traffic and forwarding an unencrypted version to both ends of the communication chain.

Finally, there’s certificate pinning that completely bypasses the SSL process by hard-coding decryption keys within a system. Only if they match is the connection allowed. Pinning, however, has been deprecated due to the complexity and risks associated with the process.

FAQ