wget by default performs validity check of SSL certificates for SSL-based websites. This is obviously a security reason as the core of SSL itself relies on certificates to be valid and verified to be used and trusted. There are times though that you'll want to bypass this in wget such as when trying to access websites with expired SSL certificate or those with self-signed certificates.

This could easily be done with the --no-check-certificate option.

--no-check-certificate
    Don't check the server certificate against the available certificate authorities.  Also don't require the URL host name to match the common name presented by the certificate.

    As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification
    fails.  Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or
    otherwise invalid certificates.  This option forces an "insecure" mode of operation that turns the certificate verification errors into warnings and allows you to proceed.

    If you encounter "certificate verification" errors or ones saying that "common name doesn't match requested host name", you can use this option to bypass the verification and proceed with the
    download.  Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate.  It is almost always a bad idea
    not to check the certificates when transmitting confidential or important data.

Without --no-check-certificate, you'll get the following error when accessing an improperly-configured certificate;

$ wget https://192.168.0.1/
--2018-06-07 12:19:25--  https://192.168.0.1/
Connecting to 192.168.0.1:443... connected.
    ERROR: certificate common name ‘*.example.com’ doesn't match requested host name ‘192.168.0.1’.
To connect to 192.168.0.1 insecurely, use `--no-check-certificate'.

With --no-check-certificate option used, wget will only throw a warning but will still proceed with the request.

$ wget --no-check-certificate https://192.168.0.1/
--2018-06-07 12:27:19--  https://192.168.0.1/
Connecting to 192.168.0.1:443... connected.
    WARNING: certificate common name ‘*.example.com’ doesn't match requested host name ‘192.168.0.1’.
HTTP request sent, awaiting response... 200 OK
Length: 90 [text/html]
Saving to: ‘index.html’

100%[=======================================================================================>] 90          --.-K/s   in 0s

2018-06-07 12:27:19 (5.03 MB/s) - ‘index.html’ saved [90/90]
Discuss the article:

Share your thoughts, suggest corrections or just say Hi. Login not required.

Share!