How to Ignore SSL Certificate Errors with cURL

When working with local development environments, self-signed certificates, or misconfigured servers, cURL will often block HTTPS requests due to SSL validation errors. This article provides a quick and direct guide on how to bypass these security checks using cURL’s built-in command-line options, explains the exact syntax to use, and outlines the security implications of doing so.

To instruct cURL to ignore SSL certificate validation errors, you need to use the -k or --insecure option. This tells cURL to establish a connection even if the SSL/TLS certificate is expired, self-signed, or untrusted.

Using the Short Flag

The quickest way to bypass SSL verification is by appending the -k flag to your cURL command:

curl -k https://example.com

Using the Long Flag

For better readability in scripts, you can use the equivalent long-form option, --insecure:

curl --insecure https://example.com

Making the Setting Permanent (Optional)

If you frequently connect to a server with an invalid certificate and want to avoid typing the flag every time, you can add it to your cURL configuration file.

Open or create the .curlrc file in your home directory:

nano ~/.curlrc

Add the following line to the file:

insecure

Save and close the file. cURL will now ignore SSL certificate errors for all subsequent requests by default.

Security Warning

While the -k or --insecure option is highly useful for testing and development, it should never be used in production environments. Disabling SSL certificate validation makes your connection vulnerable to Man-in-the-Middle (MitM) attacks, allowing malicious actors to intercept or alter the data being transmitted.