How to ignore SSL certificate errors in wget

Certificate failures are common on lab systems, staging hosts, and old internal appliances where the server chain is self-signed, expired, or otherwise incomplete. wget can be told to continue anyway, which is useful for short-lived troubleshooting when the endpoint is already trusted through some other channel.

The command-line switch is --no-check-certificate, and the matching startup directive is check_certificate = off. Both tell wget to skip CA validation and host-name matching, which converts certificate failures into warnings while the HTTP request continues.

That bypass removes one of the main protections HTTPS is supposed to provide, so it should stay temporary and narrowly scoped. Prefer fixing trust with a real CA file whenever possible, use the unsafe mode only on controlled networks, and remove persistent bypasses as soon as the test is complete.

Related: How to configure wget to trust a custom CA CRT file
Related: How to configure default options in ~/.wgetrc
Related: How to skip SSL certificate verification in cURL

Steps to ignore SSL certificate errors in wget:

  1. Reproduce the failure first without any insecure override so the certificate problem is clear. 
    $ wget --spider https://self-signed.badssl.com/
Spider mode enabled. Check if remote file exists.
--2026-03-27 06:52:46--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
ERROR: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
To connect to self-signed.badssl.com insecurely, use '--no-check-certificate'.

    The baseline failure confirms the problem is TLS verification rather than DNS, routing, or HTTP status handling.

  2. Retry the same request with --no-check-certificate so wget continues past the TLS warning. 
    $ wget --no-check-certificate --spider https://self-signed.badssl.com/
Spider mode enabled. Check if remote file exists.
--2026-03-27 06:52:47--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
WARNING: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 502 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

    Using the flag on a single command keeps the insecure behavior explicit and temporary.

  3. Download the content only after the warning-only behavior is acceptable for the immediate task. 
    $ wget --no-check-certificate --output-document=self-signed.html https://self-signed.badssl.com/
--2026-03-27 06:58:10--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
WARNING: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 502 [text/html]
Saving to: 'self-signed.html'

     0K                                                       100% 68.4M=0s

2026-03-27 06:58:11 (68.4 MB/s) - 'self-signed.html' saved [502/502]

    Skip this mode for credentials, private data, or untrusted networks because server identity is no longer being verified.

  4. Validate the startup-file behavior with a temporary WGETRC file before relying on the same directive in the real profile. 
    $ printf 'check_certificate = off\n' > insecure-wgetrc
$ WGETRC="$PWD/insecure-wgetrc" wget --spider https://self-signed.badssl.com/
Spider mode enabled. Check if remote file exists.
--2026-03-27 06:57:24--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
WARNING: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 502 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

    This proves the startup directive is being read without forcing an unsafe edit into the real profile during testing.

  5. Persist the bypass only when repeated manual use is unavoidable and the account is dedicated to that short-lived test window. 
    $ printf '\ncheck_certificate = off\n' >> "$HOME/.wgetrc"
$ tail -n 3 "$HOME/.wgetrc"

check_certificate = off

    Persistent bypass affects every future wget request made by that account until the directive is removed.

    Related: How to configure default options in ~/.wgetrc

  6. Remove the unsafe default as soon as the certificate problem has been diagnosed and confirm strict validation is restored. 
    $ grep -v '^check_certificate[[:space:]]*=[[:space:]]*off$' "$HOME/.wgetrc" > "$HOME/.wgetrc.new"
$ mv "$HOME/.wgetrc.new" "$HOME/.wgetrc"
$ wget --spider https://self-signed.badssl.com/
Spider mode enabled. Check if remote file exists.
--2026-03-27 06:58:35--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
ERROR: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.

    Restore certificate verification immediately after the test so later downloads regain normal HTTPS identity checks.