Categories
DailyOps

How to ignore certificate verification errors when using wget

Ignore certificate verification errors when using wget.

Try to access the address secured by a self-signed certificate.

$ wget --output-document - https://nextcloud.example.org
--2021-07-16 13:59:59--  https://nextcloud.example.org/
Resolving nextcloud.example.org (nextcloud.example.org)... 192.168.8.32
Connecting to nextcloud.example.org (nextcloud.example.org)|192.168.8.32|:443... connected.
ERROR: cannot verify nextcloud.example.org's certificate, issued by ‘CN=nextcloud.example.org’:
  Self-signed certificate encountered.
To connect to nextcloud.example.org insecurely, use `--no-check-certificate'.
$ wget --quiet --no-check-certificate  --output-document - https://nextcloud.example.org/robots.txt
User-agent: *
Disallow: /

Excerpt from manual page.

[...]

--no-check-certificate
   Don't check the server certificate against the available certificate authorities.  Also don't require the URL host name to match the common name
   presented by the certificate.

   As of Wget 1.10, the default is to verify the server's certificate against the recognized certificate authorities, breaking the SSL handshake and
   aborting the download if the verification fails.  Although this provides more secure downloads, it does break interoperability with some sites
   that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates.  This option forces an
   "insecure" mode of operation that turns the certificate verification errors into warnings and allows you to proceed.

   If you encounter "certificate verification" errors or ones saying that "common name doesn't match requested host name", you can use this option
   to bypass the verification and proceed with the download.  Only use this option if you are otherwise convinced of the site's authenticity, or if
   you really don't care about the validity of its certificate.  It is almost always a bad idea not to check the certificates when transmitting
   confidential or important data.  For self-signed/internal certificates, you should download the certificate and verify against that instead of
   forcing this insecure mode.  If you are really sure of not desiring any certificate verification, you can specify --check-certificate=quiet to
   tell wget to not print any warning about invalid certificates, albeit in most cases this is the wrong thing to do.

[...]