wget --no-check-certificate: Risks and Fixes
wget --no-check-certificate disables TLS certificate verification, which removes a security guarantee rather than fixing the underlying problem.
It is tempting to silence a TLS error with --no-check-certificate, but that turns off verification entirely. Usually the real fix is supplying the right CA.
What it does
wget --no-check-certificate tells wget not to verify the server certificate against the trust store. The download still uses TLS for encryption but no longer authenticates the server, so a man-in-the-middle would go undetected.
Common usage
# the safer fix: trust the right CA
wget --ca-certificate=/path/to/ca.pem https://internal.example.com/app.bin
# last resort, understands the risk
wget --no-check-certificate https://internal.example.com/app.binOptions
| Flag | What it does |
|---|---|
| --no-check-certificate | Skip server certificate verification (unsafe) |
| --ca-certificate=<file> | Trust a specific CA certificate file |
| --ca-directory=<dir> | Directory of hashed trusted CA certs |
| --certificate=<file> | Client certificate for mutual TLS |
In CI
Reach for --ca-certificate before --no-check-certificate. Pointing wget at the internal CA keeps verification on while trusting your own endpoints. Disabling checks in a pipeline silently accepts any certificate, which defeats the purpose of HTTPS.
Common errors in CI
ERROR: The certificate of ‘host’ is not trusted or "is not yet activated" / "has expired" means the trust chain or clock is wrong; add the CA with --ca-certificate or fix the time, do not just disable checks. Unable to establish SSL connection points at a protocol or cipher mismatch, which --no-check-certificate will not fix.