SSL certificates are used to verify the identity of a website and encrypt all data sent to and from it. In order to establish a secure connection with a website, the client must verify that the certificate sent by the server is valid and trusted. If the certificate is not valid or trusted, the client will refuse to connect to the website.

SSL certificate errors occur when the client is unable to verify the certificate provided by the server. There are many reasons why this could happen, but some of the most common are expired certificates, certificates that are not issued by a trusted certificate authority, and certificates that do not match the domain name of the website.

When a certificate error occurs, cURL will display an error message and refuse to connect to the website. For example, if you try to connect to a website with an expired certificate, you will see the following error message:

$ curl https://www.example.com/
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.

curl: (60) SSL: no alternative certificate subject name matches target host name 'www.example.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

While these errors are useful in production environments, they can be annoying when testing or troubleshooting. There could also be situations where you know the risks and want to bypass these checks. Thankfully, cURL provides a way to ignore SSL certificate errors and proceed with the request.

Steps to bypass SSL certificate verification in cURL:

  1. Open the terminal.
  2. Run curl against website with SSL error.

    $ curl https://www.example.com/
    curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
  3. Use insecure option for curl to ignore SSL certificate error.

    $ curl --insecure https://www.example.com/
    <html>
    <head>
    <meta HTTP-EQUIV="REFRESH" content="0; url=/newpage.php">
    </head>
    </html>
    -k, --insecure
           (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.
    
           The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store.
    
           See this online resource for further details:
            https://curl.haxx.se/docs/sslcerts.html
    
           See also --proxy-insecure and --cacert.
  4. Use shortform insecure option for curl.

    $ curl -k https://www.example.com/
    <html>
    <head>
    <meta HTTP-EQUIV="REFRESH" content="0; url=/newpage.php">
    </head>
    </html>
  5. Add insecure to curl config file to apply the option to every SSL connection.

    $ echo "insecure" >> ~/.curlrc

    Only use this method in development setting or wherever security is not critical.

  6. Test against problematic https website again without specifying insecure option.

    $ curl https://www.example.com/
    <html>
    <head>
    <meta HTTP-EQUIV="REFRESH" content="0; url=/newpage.php">
    </head>
    </html>