- Ignore SSL Certificate Error with Wget
- Ignore SSL certificate error with wget
- Skip the certification check
- Wrapping Up
- How to ignore SSL certificate error in wget
- Steps to skip certificate check in wget:
- How to ignore certificate check in wget? [SOLVED]
- Ignore SSL Certificate in Wget
- What’s NEXT?
- Summary
- References
Ignore SSL Certificate Error with Wget
Getting an expired certificate error while downloading files with wget? Here’s how to ignore it.
So you installed wget and when you tried to download files in the Linux terminal, it got you an SSL certificate error like the following?
[email protected]:~$ wget https://expired.badssl.com --2022-11-04 14:35:55-- https://expired.badssl.com/ Resolving expired.badssl.com (expired.badssl.com). 104.154.89.105 Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443. connected. ERROR: cannot verify expired.badssl.com's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’: Issued certificate has expired. To connect to expired.badssl.com insecurely, use `--no-check-certificate'.
The reason why you get this error is simple. By default, wget checks for a valid SSL certificate so that you can have a reliable connection and if not, it throws an error saying the Issued certificate has expired.
So let’s have a look at how to ignore SSL certificate errors while using wget.
Ignore SSL certificate error with wget
While I won’t advise you to connect over a website that has a broken SSL certificate, you may find this error on a trusted site and wish to continue, so here you go.
To ignore this error, you have to use —no-check-certificate option and it won’t check for an SSL certificate:
wget --no-check-certificate https://expired.badssl.com
[email protected]:~$ wget --no-check-certificate https://expired.badssl.com --2022-11-04 15:18:07-- https://expired.badssl.com/ Resolving expired.badssl.com (expired.badssl.com). 104.154.89.105 Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443. connected. WARNING: cannot verify expired.badssl.com's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’: Issued certificate has expired. HTTP request sent, awaiting response. 200 OK Length: 494 [text/html] Saving to: ‘index.html.1’ index.html.1 100%[===================>] 494 --.-KB/s in 0s 2022-11-04 15:18:08 (209 MB/s) - ‘index.html.1’ saved [494/494]
Skip the certification check
I do not recommend this unless you have an isolated environment or want to test things regardless of security concerns.
To skip the certification check every time you visit the broken SSL site, you just have to append check-certificate = off in wget config file:
And now, you can download files using wget over broken SSL sites without adding —no-check-certificate option:
[email protected]:~$ wget https://expired.badssl.com --2022-11-04 15:41:50-- https://expired.badssl.com/ Resolving expired.badssl.com (expired.badssl.com). 104.154.89.105 Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443. connected. WARNING: cannot verify expired.badssl.com's certificate, issued by ‘CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB’: Issued certificate has expired. HTTP request sent, awaiting response. 200 OK Length: 494 [text/html] Saving to: ‘index.html.2’ index.html.2 100%[===================>] 494 --.-KB/s in 0s 2022-11-04 15:41:51 (191 MB/s) - ‘index.html.2’ saved [494/494]
Wrapping Up
Curl or wget, you can face this issue in both commands.
Through this guide, I explained how you could ignore SSL certificate errors with wget. If you have any queries, let me know in the comments.
How to ignore SSL certificate error in wget
Wget, by default, performs a validity check of SSL certificates when connecting to https websites to ensure the certificate is valid. However, there are times that you’ll want Wget to ignore SSL certificate check errors and warnings. This could happen when accessing websites with expired or self-signed SSL certificates, but you still trust the websites.
$ wget https://www.simplified.guide --2021-03-29 11:09:07-- https://www.simplified.guide/ Resolving www.simplified.guide (www.simplified.guide). 127.0.0.1 Connecting to www.simplified.guide (www.simplified.guide)|127.0.0.1|:443. connected. ERROR: cannot verify www.simplified.guide's certificate, issued by ‘CN=mkcert name@hostname (Your Name),OU=name@hostname (Your Name),O=mkcert development CA’: Unable to locally verify the issuer's authority. ERROR: certificate common name ‘*.simplified.guide’ doesn't match requested host name ‘www.simplified.guide’. To connect to www.simplified.guide insecurely, use `--no-check-certificate'.
You can turn off check-certificate option in Wget to skip certificate check, thus ignoring SSL errors. This is equivalent to using insecure option for cURL.
Steps to skip certificate check in wget:
$ wget https://www.simplified.guide --2021-03-29 11:31:11-- https://www.simplified.guide/ Resolving www.simplified.guide (www.simplified.guide). 127.0.0.1 Connecting to www.simplified.guide (www.simplified.guide)|127.0.0.1|:443. connected. ERROR: cannot verify www.simplified.guide's certificate, issued by ‘CN=mkcert name@hostname (Your Name),OU=name@hostname (Your Name),O=mkcert development CA’: Unable to locally verify the issuer's authority. To connect to www.simplified.guide insecurely, use `--no-check-certificate'.
$ wget --no-check-certificate https://www.simplified.guide --2021-03-29 11:32:21-- https://www.simplified.guide/ Resolving www.simplified.guide (www.simplified.guide). 127.0.0.1 Connecting to www.simplified.guide (www.simplified.guide)|127.0.0.1|:443. connected. WARNING: cannot verify www.simplified.guide's certificate, issued by ‘CN=mkcert name@hostname (Your Name),OU=name@hostname (Your Name),O=mkcert development CA’: Unable to locally verify the issuer's authority. HTTP request sent, awaiting response. 200 OK Length: unspecified [text/html] Saving to: ‘index.html’ index.html [ ] 31.01K --.-KB/s in 0s 2021-03-29 11:32:21 (100 MB/s) - ‘index.html’ saved [31755]
--no-check-certificate Don't check the server certificate against the available certificate authorities. Also don't require the URL host name to match the common name presented by the certificate. As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails. Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates. This option forces an "insecure" mode of operation that turns the certificate verification errors into warnings and allows you to proceed. If you encounter "certificate verification" errors or ones saying that "common name doesn't match requested host name", you can use this option to bypass the verification and proceed with the download. Only use this option if you are otherwise convinced of the site's authenticity, or if you really don't care about the validity of its certificate. It is almost always a bad idea not to check the certificates when transmitting confidential or important data.
$ echo "check-certificate = off" >> ~/.wgetrc
$ wget https://www.simplified.guide --2021-03-29 11:42:29-- https://www.simplified.guide/ Resolving www.simplified.guide (www.simplified.guide). 127.0.0.1 Connecting to www.simplified.guide (www.simplified.guide)|127.0.0.1|:443. connected. WARNING: cannot verify www.simplified.guide's certificate, issued by ‘CN=mkcert name@hostname (Your Name),OU=name@hostname (Your Name),O=mkcert development CA’: Unable to locally verify the issuer's authority. HTTP request sent, awaiting response. 200 OK Length: unspecified [text/html] Saving to: ‘index.html.1’ index.html [ ] 31.01K --.-KB/s in 0s 2021-03-29 11:42:29 (115 MB/s) - ‘index.html’ saved [31755]
How to ignore certificate check in wget? [SOLVED]
wget is a popular command for downloading files from the internet with protocols such as HTTP, HTTPS, and FTP. With the terminal emulator you use, you can download without logging in to the internet address. If the website you want to download has an insecure and problematic ssl certificate, you will encounter the following errors:
ERROR: Certificate ‘—‘ is not trusted.
ERROR: Certificate ‘—‘ has no known issuer.
The certificate has expired
You cannot download and it will show you that the address you want to download from has a security problem. We will tell you how to proceed with the download with the following steps.
Ignore SSL Certificate in Wget
When you open a website with a browser, if you encounter the following screen, it indicates that this site has a problem with the SSL certificate:
You can access the site with Advanced → Accept the Risk and Continue.
Now let’s try to download files from this website with wget in terminal:
foc@fedora:~$ wget https://expired.badssl.com --2023-02-09 19:44:12-- https://expired.badssl.com/ Resolving expired.badssl.com (expired.badssl.com). 104.154.89.105 Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443. connected. ERROR: The certificate of ‘expired.badssl.com’ is not trusted. ERROR: The certificate of ‘expired.badssl.com’ has expired. The certificate has expired
As you can see the download failed. The » —no-check-certificate » parameter is used to solve this problem:
foc@fedora:~$ wget --no-check-certificate https://expired.badssl.com --2023-02-09 21:17:30-- https://expired.badssl.com/ Resolving expired.badssl.com (expired.badssl.com). 104.154.89.105 Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443. connected. WARNING: The certificate of ‘expired.badssl.com’ is not trusted. WARNING: The certificate of ‘expired.badssl.com’ has expired. The certificate has expired HTTP request sent, awaiting response. 200 OK Length: 494 [text/html] Saving to: ‘index.html.9’ index.html.9 100%[=============>] 494 --.-KB/s in 0s 2023-02-09 21:17:30 (7.92 MB/s) - ‘index.html.9’ saved [494/494]
The download was successful without verifying the server’s certificate. If you have used wget in your bash scripts before, it looks like you need to give this parameter to all of these commands.
The solution below will help you a lot. Create a » .wgetrc » file and type the following lines:
foc@fedora:~$ nano /usr/local/etc/wgetrc
Or you can do it in one line with echo:
echo "check_certificate = off" >> ~/.wgetrc
Try downloading with wget after this command:
foc@fedora:~$ wget https://expired.badssl.com --2023-02-09 21:31:17-- https://expired.badssl.com/ Resolving expired.badssl.com (expired.badssl.com). 104.154.89.105 Connecting to expired.badssl.com (expired.badssl.com)|104.154.89.105|:443. connected. WARNING: The certificate of ‘expired.badssl.com’ is not trusted. WARNING: The certificate of ‘expired.badssl.com’ has expired. The certificate has expired HTTP request sent, awaiting response. 200 OK Length: 494 [text/html] Saving to: ‘index.html.11’ index.html.11 100%[=============>] 494 --.-KB/s in 0s 2023-02-09 21:31:19 (12.2 MB/s) - ‘index.html.11’ saved [494/494]
You can see that the download was successful without parameters.
What’s NEXT?
Summary
You can get help about wget online here. For local help you can also open the -h/—help or manual page in terminal:
foc@fedora:~$ wget --help . HTTPS (SSL/TLS) options: --secure-protocol=PR choose secure protocol, one of auto, SSLv2, SSLv3, TLSv1, TLSv1_1, TLSv1_2, TLSv1_3 and PFS --https-only only follow secure HTTPS links --no-check-certificate don't validate the server's certificate --certificate=FILE client certificate file --certificate-type=TYPE client certificate type, PEM or DER --private-key=FILE private key file --private-key-type=TYPE private key type, PEM or DER --ca-certificate=FILE file with the bundle of CAs --ca-directory=DIR directory where hash list of CAs is stored .
References
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!