Web Technologies

How to Make curl Ignore SSL Certificate Errors

On this page

To make curl ignore SSL certificate errors, add the -k (or --insecure) flag: curl -k https://example.com. This tells curl to skip certificate verification, so it connects even to a server with a self-signed, expired, or mismatched certificate instead of failing with SSL certificate problem. It's the right tool for local and staging environments — but it disables the protection TLS exists to provide, so it should never be a production fix.

Quick facts

Flag-k / --insecure
Syntaxcurl -k https://example.com
What it doesSkips SSL/TLS certificate verification
Safer alternative--cacert <file> to trust a specific CA/cert
WarningDisables MITM protection — testing/dev only

The -k / --insecure flag

When curl refuses to connect with an error like SSL certificate problem: self-signed certificate or certificate has expired, -k skips the check:

curl -k https://self-signed.local/api
# long form
curl --insecure https://self-signed.local/api

curl still negotiates an encrypted TLS connection — it just stops verifying that the certificate is trusted and matches the host. That distinction matters: the traffic is encrypted, but you've given up the guarantee that you're talking to the right server.

When it is safe to use -k

Skipping verification is reasonable only when you already trust the connection by other means:

  • A local server or staging environment using a self-signed certificate.
  • An internal tool with a misconfigured or not-yet-issued cert.
  • Quick debugging to confirm the SSL error is the only thing blocking a request.

Never use -k in production
Disabling verification opens you to man-in-the-middle attacks — anyone who can intercept the connection can impersonate the server and you'll never know. Treat -k as a temporary workaround, not a fix.

The safer fix: trust the right certificate

Instead of ignoring all verification, point curl at the specific CA or certificate it should trust with --cacert (or --capath for a directory):

# Trust a specific CA bundle / self-signed cert
curl --cacert /path/to/ca.pem https://internal.example.com

# Provide a client certificate (mutual TLS)
curl --cert client.pem --key client.key https://example.com

This keeps verification on — you still get MITM protection — while accepting the certificate you actually expect. It's the correct long-term solution for internal services with their own CA.

SSL errors when scraping

If you hit SSL errors against a public site that loads fine in a browser, -k usually isn't the answer. The common causes are a missing or outdated CA bundle on your machine, or an anti-bot layer terminating the TLS handshake because it doesn't like your TLS fingerprint. In the second case the certificate is valid; the block is happening at the handshake. A scraping API that presents a real browser's TLS profile resolves it — see the code example. Sites returning 403 or Cloudflare errors after the handshake need the same treatment.

Code example

bash
# Ignore SSL verification (testing / self-signed / staging ONLY)
curl -k https://self-signed.local/api
curl --insecure https://self-signed.local/api

# Safer: trust a specific CA or certificate (keeps verification on)
curl --cacert /path/to/ca.pem https://internal.example.com

# Mutual TLS with a client certificate
curl --cert client.pem --key client.key https://example.com

Related terms

How to Use Basic Auth with curl
To send HTTP Basic Authentication with curl, use the -u (or --user) flag: curl -u username:password https://example.com. curl Base64-encodes…
How to Send and Receive JSON with curl
To POST JSON with curl, set the content type and pass the body: curl -X POST -H "Content-Type: application/json" -d '{"key":"value"}' https:…
What is HTTP? (Complete Guide 2026)
HTTP (HyperText Transfer Protocol) is the set of rules browsers and servers use to talk to each other on the web. Every time you load a page…
What Is TLS Fingerprinting (JA3/JA4)?
TLS fingerprinting is a way to recognize what software made a connection just by looking at how it sets up encryption — before the server re…
What Is the 403 Status Code (403 Forbidden Error)?
HTTP 403 Forbidden means the server understood your request but refuses to answer it. The difference from 401 is simple: 401 means "we don't…

Concept map

How How to Make curl Ignore SSL Certificate Errors connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Web Technologies
Building map…

Frequently asked questions

How do I make curl ignore SSL certificate errors?

Add the -k or --insecure flag: curl -k https://example.com. This skips certificate verification so curl connects even to servers with self-signed, expired, or mismatched certificates. The connection is still encrypted, but curl no longer verifies you are talking to the right server, so use it for testing only.

What is the difference between -k and --insecure in curl?

Nothing — -k is the short form and --insecure is the long form of the same option. Both disable SSL/TLS certificate verification for the request.

Is it safe to use curl -k?

Only for local servers, staging, internal tools, or quick debugging where you already trust the connection. In production it exposes you to man-in-the-middle attacks because it disables the verification that ensures you are connected to the genuine server. Use --cacert to trust a specific certificate instead.

How do I fix a curl SSL error without ignoring it?

Point curl at the certificate it should trust with --cacert /path/to/ca.pem (or --capath for a directory), or update your system CA bundle if a public site is failing. For mutual TLS, supply a client certificate with --cert and --key. This keeps verification — and MITM protection — enabled.

Last updated: 2026-06-08