Certificate failures are common on lab systems, staging hosts, and older internal appliances where the server chain is self-signed, expired, or incomplete. wget can be told to continue anyway, which is useful for short-lived diagnostics when the endpoint is already trusted through some other controlled path.

The switch for the command line is --no-check-certificate, and the matching startup-file directive is check_certificate = off. Both disable normal HTTPS certificate validation and host-name checks, so the connection continues with a warning instead of stopping on the TLS error.

That bypass removes one of the main protections HTTPS is meant to provide. Use it only for narrow troubleshooting on controlled networks, prefer fixing trust with a real CA file whenever possible, and remove any persistent bypass as soon as the immediate test is complete.

Related: How to configure wget to trust a custom CA CRT file
Related: How to configure default options in ~/.wgetrc
Related: How to skip SSL certificate verification in cURL

Steps to ignore SSL certificate errors in wget:

  1. Reproduce the certificate failure once without any insecure override so the problem is clearly identified. 
    $ wget --spider https://repo.internal.example/packages/index.html
Spider mode enabled. Check if remote file exists.
--2026-03-28 14:30:35--  https://repo.internal.example/packages/index.html
Resolving repo.internal.example (repo.internal.example)... 192.0.2.10
Connecting to repo.internal.example (repo.internal.example)|192.0.2.10|:443... connected.
ERROR: cannot verify repo.internal.example's certificate, issued by 'CN=internal.example CA':
  Self-signed certificate encountered.
To connect to repo.internal.example insecurely, use '--no-check-certificate'.

    The baseline failure confirms that the issue is TLS verification rather than DNS, routing, or HTTP status handling.

  2. Retry the same request with --no-check-certificate so the TLS error becomes a warning and the request continues. 
    $ wget --no-check-certificate --spider https://repo.internal.example/packages/index.html
Spider mode enabled. Check if remote file exists.
--2026-03-28 14:30:36--  https://repo.internal.example/packages/index.html
Resolving repo.internal.example (repo.internal.example)... 192.0.2.10
Connecting to repo.internal.example (repo.internal.example)|192.0.2.10|:443... connected.
WARNING: cannot verify repo.internal.example's certificate, issued by 'CN=internal.example CA':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 2345 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

    Using the flag on one command keeps the unsafe behavior explicit and temporary.

  3. Save the content only after the warning-only behavior is acceptable for the immediate troubleshooting task. 
    $ wget --no-check-certificate --output-document=packages-index.html https://repo.internal.example/packages/index.html
--2026-03-28 14:30:42--  https://repo.internal.example/packages/index.html
Resolving repo.internal.example (repo.internal.example)... 192.0.2.10
Connecting to repo.internal.example (repo.internal.example)|192.0.2.10|:443... connected.
WARNING: cannot verify repo.internal.example's certificate, issued by 'CN=internal.example CA':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 2345 [text/html]
Saving to: 'packages-index.html'

     0K ..                                                    100% 27.8M=0s

2026-03-28 14:30:42 (27.8 MB/s) - 'packages-index.html' saved [2345/2345]

    Do not use this mode for credentials, private data, or untrusted networks because server identity is no longer being verified.

  4. Preview the startup-file behavior with a temporary WGETRC file before touching the real profile. 
    $ printf 'check_certificate = off\n' > insecure-test.wgetrc
$ WGETRC="$PWD/insecure-test.wgetrc" wget --spider https://repo.internal.example/packages/index.html
Spider mode enabled. Check if remote file exists.
--2026-03-28 14:30:44--  https://repo.internal.example/packages/index.html
Resolving repo.internal.example (repo.internal.example)... 192.0.2.10
Connecting to repo.internal.example (repo.internal.example)|192.0.2.10|:443... connected.
WARNING: cannot verify repo.internal.example's certificate, issued by 'CN=internal.example CA':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 2345 [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

    This proves the startup directive is being read without leaving an unsafe account default behind after the test.

  5. Persist the bypass only when repeated short-lived testing is unavoidable for that one account. 
    $ printf '\ncheck_certificate = off\n' >> "$HOME/.wgetrc"
$ grep -n '^check_certificate' "$HOME/.wgetrc" | tail -n 1
15:check_certificate = off

    Persistent bypass affects every future wget command run by that account until the directive is removed.

    Related: How to configure default options in ~/.wgetrc

  6. Remove the unsafe default as soon as the certificate problem has been diagnosed and confirm that strict validation is back in place. 
    $ grep -v '^check_certificate[[:space:]]*=[[:space:]]*off$' "$HOME/.wgetrc" > "$HOME/.wgetrc.new"
$ mv "$HOME/.wgetrc.new" "$HOME/.wgetrc"
$ wget --spider https://repo.internal.example/packages/index.html
Spider mode enabled. Check if remote file exists.
--2026-03-28 14:30:48--  https://repo.internal.example/packages/index.html
Resolving repo.internal.example (repo.internal.example)... 192.0.2.10
Connecting to repo.internal.example (repo.internal.example)|192.0.2.10|:443... connected.
ERROR: cannot verify repo.internal.example's certificate, issued by 'CN=internal.example CA':
  Self-signed certificate encountered.

    Restoring certificate verification immediately prevents later downloads from silently trusting the wrong server.