When working with APIs or testing websites in development, you might encounter SSL-related errors while using curl. These errors happen when curl can’t verify a website’s SSL certificate—often due to self-signed certificates, expired certificates, or staging environments. In these cases, knowing how to make curl ignore SSL verification can be very useful.

Why SSL Verification Matters

SSL (Secure Sockets Layer) ensures the data you send and receive over HTTPS is encrypted and secure. Before establishing a secure connection, curl checks whether the server’s certificate is valid and trusted.

If the certificate is:

• Self-signed (not issued by a trusted authority)
• Expired
• Incorrectly configured

Then curl will block the request and show this common error:

curl: (60) SSL certificate problem: self signed certificate

This is by design—to protect you from insecure or fake websites.

How to Ignore SSL in curl

To bypass this verification step (only when you know it’s safe), use the -k or --insecure option:

curl -k https://example.com

or

curl --insecure https://example.com

This tells curl to proceed even if the SSL certificate can’t be verified.

⚠️ Important: Only use --insecure in trusted environments like development or testing. Avoid it in production, as it disables one of the key protections of HTTPS.

Can I Always Ignore SSL by Default?

Yes, but it’s risky. If you want to make curl always ignore SSL, add this to your ~/.curlrc file:

insecure

Again, this is not recommended unless you have full control over the environment and understand the risks involved.

Ignore SSL in Code (with Curl Bindings)

If you’re using curl through code, here’s how you can ignore SSL in different languages:

PHP (with cURL)

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://example.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // disables SSL verification
$response = curl_exec($ch);
curl_close($ch);

Python (using PycURL)

import pycurl

c = pycurl.Curl()
c.setopt(c.URL, 'https://example.com')
c.setopt(c.SSL_VERIFYPEER, 0)  # ignore SSL verification
c.setopt(c.SSL_VERIFYHOST, 0)
c.perform()
c.close()

Again: only use this for testing purposes. Ignoring SSL verification in production environments can make your app vulnerable to man-in-the-middle (MITM) attacks.

When Should You Ignore SSL?

Here are a few legitimate use cases:

• Testing a new API server with a self-signed certificate
• Crawling or scraping a dev/staging site without a proper certificate
• Making internal calls in a local network where security is already managed

Conclusion

The curl -k or --insecure flag can be a handy tool—but it’s not something you should rely on in production. Always use it with caution, and only in trusted environments.

SSL certificates exist to protect users, and skipping verification weakens that layer of protection. If you’re frequently running into SSL errors during scraping or automation tasks, consider:

• Installing the correct root certificates
• Using a valid certificate, even in staging
• Or working with a proxy solution that handles SSL verification for you