• Modern UX

    Edit and navigate faster in the terminal with Warp's IDE-like input editor.

  • Warp AI

    AI suggests what commands to run and learns from your documentation.

  • Agent Mode

    Delegate tasks to AI and use natural language on the command line.

  • Warp Drive

    Save and share interactive notebooks, workflows, and environment variables.

  • All Features

Ignoring SSL Certificate Issues with cURL

Thumbnail for Gabriel ManricksGabriel Manricks

Gabriel Manricks

Chief Architect, ClearX

Published: 1/31/2024

About Terminus

When making a request with cURL to a secured (HTTPS) endpoint, cURL will automatically verify the authenticity and validity of the certificate during the handshake before sending the request. There are times when you might want to bypass this check and tell cURL to make the request anyways; for example, on a development server with a self-signed certificate.

The Short Answer

You can bypass the certificate verification by adding the -k or --insecure flag to your request.

 $ curl https://expired.badssl.com/
curl: (60) SSL certificate problem: certificate has expired

$ curl https://expired.badssl.com/ -k
<!DOCTYPE html>
…
</html>
…


Run in Warp
Thumbnail for

Easily recall this command with AI

If you are using Warp, you can get to this request using the AI Command Search by typing # and then curl ignore ssl

 # curl ignore ssl

Run in Warp
Thumbnail for

Bypassing an insecure proxy with cURL

There are situations where you are making a cURL request through a proxy server and the problematic certificate is not from the final endpoint you are requesting, but it is rather a problem with the intermediate proxy-server’s certificate.

In situations like this, you can use the --proxy-insecure flag together with the -k /  --insecure flag above to bypass the security checks.

For example, if you start a local HTTPs proxy with something like mitmproxy:

 $ mitmproxy

Run in Warp

It should open a local proxy server, and you can then see that trying to make a request through it, even to a legitimate endpoint, will give an error:

 $ curl https://google.com --proxy https://localhost:8080
curl: (60) SSL certificate problem: unable to get local issuer certificate

Run in Warp

By adding the two flags, we can get the request to go through:

 $ curl https://google.com --proxy https://localhost:8080 --proxy-insecure -k
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

Run in Warp
Thumbnail for

Disabling certificate verification system-wide

There are some situations where you may want to disable this certificate verification system-wide. For example, if the curl requests in question are being generated by some script (Python, PHP, etc.) and it would be a lot of effort to update all the locations making requests.

In situations like these, if you need an easy way to temporarily disable SSL verification system-wide, you can add insecure and optionally proxy-insecure to your ~/.curlrc file.

 insecure
proxy-insecure

Run in Warp

Adding them to your ~/.curlrc will have exactly the same effect as passing them as command line options, so you can use whichever option better fits your situation. 

Beware of potential security concerns

When you bypass cURL’s verification of the TLS / SSL certificate, TLS / SSL becomes less able to secure your connection. This leaves you exposed to risks like man-in-the-middle attacks, where, for example, a malicious actor can gain access to your traffic and impersonate the server you are trying to reach by returning its own certificate instead of the real one. This would allow the malicious actor to decrypt your requests.

So this workaround should only be used in situations where you know why the certificate is invalid and you temporarily want to make the request despite the associated risks. Some typical examples of this situation could be:

  • Sending a request to a development server that has a self-signed certificate
  • Your certificate just recently expired and you want to make the cURL request before getting it renewed

A more robust solution for situations like the above, where you want to work with a self-signed certificate, would be to make cURL trust your personal root certificate authority’s (CA) certificate, and leave verification on. This would allow you to still make the request, but have the protection against issues like the attack discussed above.

To do this, you will need the root CA certificate which signed your server’s certificate. In the mitmproxy example from above, you can get the certificate using:

 $ curl http://mitm.it/cert/pem --proxy https://localhost:8080 -k --proxy-insecure > cacert.pem

Run in Warp

You can then use that certificate in other cURL requests as follows:

 $ curl https://google.com --proxy https://localhost:8080 --proxy-cacert ./cacert.pem --cacert ./cacert.pem

Run in Warp

To read more about retrieving and using root CA certificates you can take a look at this post by Daniel Stenberg, one of the maintainers of cURL.

Written by

Thumbnail for Gabriel ManricksGabriel Manricks

Gabriel Manricks

Chief Architect, ClearX

Filed Under

Related Articles

List Open Ports in Linux

Learn how to output the list of open TCP and UDP ports in Linux, as well as their IP addresses and ports using the netstat command.

UnixLinux
Thumbnail for Razvan LudosanuRazvan Ludosanu

Count Files in Linux

Learn how to count files and folders contained in directories and subdirectories in Linux using the ls, find, and wc commands.

LinuxUnix
Thumbnail for Razvan LudosanuRazvan Ludosanu

How to Check the Size of Folders in Linux

Learn how to output the size of directories and subdirectories in a human-readable format in Linux and macOS using the du command.

LinuxUnix
Thumbnail for Razvan LudosanuRazvan Ludosanu

Linux Chmod Command

Understand how to use chmod to change the permissions of files and directories. See examples with various chmod options.

Linux
Thumbnail for Razvan LudosanuRazvan Ludosanu

POST JSON Data With Curl

How to send valid HTTP POST requests with JSON data payloads using the curl command and how to avoid common syntax pitfalls. Also, how to solve the HTTP 405 error code.

BashUnixLinux
Thumbnail for Neeran GulNeeran Gul

Format Command Output In Linux

Learn how to filter and format the content of files and the output of commands in Linux using the awk command.

Linux

Create Groups In Linux

Learn how to manually and automatically create and list groups in Linux.

Linux

Switch Users In Linux

Learn how to switch between users, log in as another user, and execute commands as another user in Linux.

Linux

Remover Users in Linux

Learn how to remove local and remote user accounts and associated groups and files in Linux using the userdel and deluser commands.

Linux

Delete Files In Linux

Learn how to selectively delete files in Linux based on patterns and properties using the rm command.

Linux

Find Files In Linux

Learn how to find and filter files in Linux by owner, size, date, type and content using the find command.

Linux

Copy Files In Linux

Learn how to safely and recursively copy one or more files locally and remotely in Linux using the cp and scp command.

Linux

Trusted by hundreds of thousands of professional developers

Download Warp to get started

Download for Mac
Thumbnail for null