Self-signed, expired, or otherwise invalid HTTPS certificates stop wget before it downloads anything. This page shows how to bypass that check temporarily when you already trust the endpoint and need one short diagnostic or retrieval to continue.

GNU wget still verifies the server certificate and host name by default. The command-line switch is --no-check-certificate, and check_certificate = off is the matching startup-file directive when you need the same behavior from a dedicated preview config file.

Disabling certificate verification removes the HTTPS identity check, so keep the bypass explicit and short-lived. The examples below use self-signed.badssl.com so you can reproduce the warning safely and then return to normal verification immediately.

Related: How to configure wget to trust a custom CA CRT file
Related: How to configure default options in ~/.wgetrc
Related: How to skip SSL certificate verification in cURL

Steps to ignore SSL certificate errors in wget:

  1. Reproduce the certificate failure once without any bypass. 
    $ wget --spider https://self-signed.badssl.com/
Spider mode enabled. Check if remote file exists.
--2026-04-22 11:32:11--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
ERROR: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
To connect to self-signed.badssl.com insecurely, use '--no-check-certificate'.

    The baseline failure confirms that TLS verification is the blocker before you suppress it.

  2. Retry the same request with --no-check-certificate and confirm the TLS error becomes a warning. 
    $ wget --no-check-certificate --spider https://self-signed.badssl.com/
Spider mode enabled. Check if remote file exists.
--2026-04-22 11:31:30--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
WARNING: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 502 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

    Using the flag on one command keeps the unsafe behavior visible and temporary.

  3. Download the page only after you have decided the insecure request is acceptable for this one task. 
    $ wget --no-check-certificate --output-document=self-signed.badssl.html https://self-signed.badssl.com/
--2026-04-22 11:31:56--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
WARNING: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 502 [text/html]
Saving to: 'self-signed.badssl.html'

     0K                                                       100% 95.7M=0s

2026-04-22 11:31:57 (95.7 MB/s) - 'self-signed.badssl.html' saved [502/502]

    Do not use this mode for credentials, private artifacts, or untrusted networks because wget is no longer verifying server identity.

  4. Put the matching startup-file directive in a preview config file instead of changing your normal profile. 
    insecure-test.wgetrc
check_certificate = off

    Keep the override in a job-local file unless you have a strong reason to make it persistent.

  5. Load the preview file with --config and confirm the same request works without adding the flag to the command line. 
    $ wget --config=insecure-test.wgetrc --spider https://self-signed.badssl.com/
Spider mode enabled. Check if remote file exists.
--2026-04-22 11:32:11--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
WARNING: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 502 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

    Related: How to configure default options in ~/.wgetrc

  6. Remove the temporary config file and downloaded test file when the check is finished. 
    $ rm insecure-test.wgetrc self-signed.badssl.html
  7. Run the plain command again and confirm strict verification is back in place. 
    $ wget --spider https://self-signed.badssl.com/
Spider mode enabled. Check if remote file exists.
--2026-04-22 11:32:11--  https://self-signed.badssl.com/
Resolving self-signed.badssl.com (self-signed.badssl.com)... 104.154.89.105
Connecting to self-signed.badssl.com (self-signed.badssl.com)|104.154.89.105|:443... connected.
ERROR: cannot verify self-signed.badssl.com's certificate, issued by 'CN=*.badssl.com,O=BadSSL,L=San Francisco,ST=California,C=US':
  Self-signed certificate encountered.
To connect to self-signed.badssl.com insecurely, use '--no-check-certificate'.

    Once the temporary file is gone, later wget commands will stop on the certificate again instead of silently trusting it.