Skip to content
Latchkey

wget --no-check-certificate: Risks and Fixes

wget --no-check-certificate disables TLS certificate verification, which removes a security guarantee rather than fixing the underlying problem.

It is tempting to silence a TLS error with --no-check-certificate, but that turns off verification entirely. Usually the real fix is supplying the right CA.

What it does

wget --no-check-certificate tells wget not to verify the server certificate against the trust store. The download still uses TLS for encryption but no longer authenticates the server, so a man-in-the-middle would go undetected.

Common usage

Terminal
# the safer fix: trust the right CA
wget --ca-certificate=/path/to/ca.pem https://internal.example.com/app.bin
# last resort, understands the risk
wget --no-check-certificate https://internal.example.com/app.bin

Options

FlagWhat it does
--no-check-certificateSkip server certificate verification (unsafe)
--ca-certificate=<file>Trust a specific CA certificate file
--ca-directory=<dir>Directory of hashed trusted CA certs
--certificate=<file>Client certificate for mutual TLS

In CI

Reach for --ca-certificate before --no-check-certificate. Pointing wget at the internal CA keeps verification on while trusting your own endpoints. Disabling checks in a pipeline silently accepts any certificate, which defeats the purpose of HTTPS.

Common errors in CI

ERROR: The certificate of ‘host’ is not trusted or "is not yet activated" / "has expired" means the trust chain or clock is wrong; add the CA with --ca-certificate or fix the time, do not just disable checks. Unable to establish SSL connection points at a protocol or cipher mismatch, which --no-check-certificate will not fix.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →