Olostep
Web Scraping
Aadithyan
AadithyanMay 12, 2026

Use curl --insecure only when you must. Fix cURL error 60, self-signed certs, proxy TLS, Docker, CI, and implement safer alternatives like --cacert.

How to Ignore cURL SSL Errors Safely

To quickly make cURL ignore SSL certificate errors, append the -k or --insecure flag to your command (e.g., curl -k https://example.com). This forces cURL to skip SSL verification and ignore self-signed certificate warnings. However, this entirely disables identity verification, leaving your connection vulnerable to interception. See the curl man page.

You run a cURL command. It fails with curl: (60) SSL certificate problem. Your immediate instinct is to append -k and move on.

While --insecure restores your connection, it blindly disables identity verification. You get the payload, but you lose the security. The correct fix depends on whether the failure originates from the origin server, an enterprise proxy, or your local trust store.

This guide explains how to bypass SSL in cURL safely for debugging, and how to permanently fix certificate verification for production workflows.

Quick Answer: Using curl --insecure

Use -k or --insecure to skip SSL validation during immediate, local diagnostics. If your traffic routes through an HTTPS proxy and the proxy certificate fails, explicitly use the --proxy-insecure flag instead of stripping origin trust.

Plain GET request ignoring SSL:

curl -k https://example.com

API request with authentication headers:

curl --insecure -H "Authorization: Bearer YOUR_TOKEN" https://api.example.com/data

POST request with JSON payload:

curl -k -X POST -H "Content-Type: application/json" -d '{"key":"value"}' https://example.com/api

When is -k acceptable?

Strictly limit -k to local development, staging environments, one-off debugging sessions, or broken internal endpoints you exclusively control. Pair -k with verbose output (-v) to identify the underlying trust issue, fix the root certificate problem, and remove the flag immediately.

What curl disable ssl check Actually Does

By default, cURL verifies two mechanisms:

  1. The Certificate Chain (CURLOPT_SSL_VERIFYPEER): Traces the certificate back to a trusted Certificate Authority (CA).
  2. The Hostname (CURLOPT_SSL_VERIFYHOST): Ensures the domain matches the name on the certificate.

Using --insecure disables both checks. Encryption stays on, but identity verification turns off. You establish a secure, encrypted channel, but you possess zero proof of who sits on the other end.

Hidden Risk: HSTS and Alt-Svc Trust

When you bypass certificate validation, cURL warns that it can store and subsequently trust HTTP Strict Transport Security (HSTS) or Alternative Services (Alt-Svc) information provided by malicious servers. This expands the blast radius of a single bypassed check into future requests.

TL;DR: curl -k encrypts your data but abandons server authentication. A stray -k hidden in a CI/CD pipeline silently disables security. Never deploy it in production scripts.

Diagnose Before You Bypass

Do not blindly append --insecure. First, determine where the trust failure lives: the origin server, the corporate proxy, the local CA bundle, the container image, or a dev certificate.

Step 1: Start with curl -v

Verbose output is your best diagnostic tool. It reveals the exact CA store path cURL checks and the specific certificate details the server presents.

Run curl -v https://example.com. Look for:

  • The certificate issuer.
  • Any hostname mismatch warnings.
  • The exact CA bundle path loaded by your OS.
  • Proxy connection clues.

Step 2: Identify the Bottleneck

  • Enterprise Proxies: Inspection proxies (like Netskope or Zscaler) decrypt and re-sign traffic with a corporate CA. If your machine lacks that internal CA, cURL rejects the connection. This requires proxy-specific trust flags, not an origin bypass.
  • Missing Intermediates: If a server fails to send the proper intermediate certificate during the TLS handshake, cURL returns an error. You must fix the server configuration or explicitly trust the required CA locally.

cURL SSL Error Codes: Finding the Right Fix

Match your cURL exit code to the structural cause. This allows you to deploy the safest fix rather than defaulting to a global bypass.

Exit Code Common Message Root Cause Safest First Fix Temporary Bypass
35 ssl connect error Cipher mismatch, unsupported TLS version, or network block. Upgrade TLS libraries. N/A (Handshake failed)
51 certificate verification failed Hostname mismatch or pinned pubkey validation failed. Fix request URL or update pin. --insecure
60 unable to get local issuer certificate Local machine lacks the CA needed to authenticate the peer. Update CA bundle or use --cacert. --insecure
77 error setting certificate verify locations Missing, corrupt, or permission-denied CA file. Check file permissions and paths. --insecure
83 issuer check failed Server omitted the required intermediate certificate. Fix server chain or supply --cacert. --insecure

Safer Alternatives to curl skip ssl verification

cURL provides a gradient of trust controls. You are never forced into a binary choice between default verification and blind bypass.

TL;DR: The Security SpectrumLocalhost dev: Use mkcert.Private APIs: Use --cacert.Self-signed servers you own: Use --pinnedpubkey.OS trust store issues: Use --ca-native.

Local Development: Use mkcert

Do not use -k for localhost. Use mkcert. It installs a local CA into your system trust store and issues locally trusted certificates for your development hostnames, perfectly mimicking production HTTPS.

# Install local CA into system trust storemkcert -install# Generate trusted cert for local domainmkcert localhost

Self-Signed or Private CA: Use --cacert

To make cURL ignore a self-signed certificate safely, explicitly tell cURL which CA to trust. You can define this per request or via environment variables (CURL_CA_BUNDLE or SSL_CERT_FILE). See SSL CA Certificates.

curl --cacert /path/to/internal-ca.pem https://internal-api.company.local

OS Store Mismatches: Use --ca-native

Sometimes cURL compiles with a hardcoded CA bundle path that differs from your OS. Supplying --ca-native forces cURL to extract trust directly from the operating system’s native CA store (Schannel on Windows, Secure Transport on macOS).

HTTPS Proxy Errors: Use --proxy-insecure

When using an HTTPS proxy, cURL performs two separate TLS handshakes. If the proxy certificate fails, use --proxy-cacert to supply the proxy's CA, or --proxy-insecure to bypass the proxy's TLS check while keeping the origin server's validation fully intact.

Known Self-Signed Endpoints: Use --pinnedpubkey

If you manage a specific self-signed server, bypass CA verification safely by pinning the server’s exact public key hash. The request succeeds only if the remote key perfectly matches your pinned hash.

curl --insecure --pinnedpubkey "sha256//Y0uR/h4sH+H3rE=" https://self-signed.internal

Revocation Edge Cases on Windows: Use --ssl-no-revoke

On Windows, the Schannel backend strictly checks certificate revocation lists (CRLs). If the revocation server goes offline, the TLS handshake fails. The --ssl-no-revoke flag selectively disables this Schannel revocation check without disabling standard CA verification.

Fixing cURL SSL Errors in Specific Environments

A cURL command that works locally often breaks in CI pipelines or Docker containers due to divergent trust stores.

Docker and CI/CD

If your enterprise proxy re-signs traffic, base container images will immediately reject external API calls. Inject your corporate CA directly into the container image during the build process.

# Dockerfile snippet for Debian/UbuntuCOPY corporate-ca.crt /usr/local/share/ca-certificates/RUN update-ca-certificatesENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crtENV CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

PHP and libcurl (CURLOPT_SSL_VERIFYPEER)

When writing code, you control trust through specific flags. Do not normalize verify=false as the permanent answer.

Unsafe Bypass (Diagnostic Only):

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

Safe Explicit Trust:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');

Production Guardrails and Automation

Do not allow temporary bypasses to leak into cron jobs, CI pipelines, or deployed infrastructure. Never add insecure to your ~/.curlrc file—this silently strips validation from every command you run, leaving you blind to MITM interception.

Prepare for Shorter Certificate Lifespans

As certificate lifespans decrease, the frequency of renewal-related failures increases. Let’s Encrypt will make 45-day opt-in certificates available starting May 13, 2026. On February 16, 2028, all classic Let's Encrypt certificates will drop to a mandatory 45-day validity period. See Decreasing Certificate Lifetimes to 45 Days.

Scaling Web Data Extraction Without SSL Nightmares

If you constantly encounter SSL errors, proxy drops, or timeouts because you are looping shell scripts across thousands of targets, manual cURL troubleshooting stops scaling.

For teams building reliable web data pipelines, automated infrastructure handles IP rotation, proxy trust, and TLS handshakes natively.

  • Single Pages: Point your API calls to Olostep’s Scrape Endpoint (/v1/scrapes) for seamless HTML or Markdown extraction.
  • Large Volumes: Use the Batch Endpoint (/v1/batches) to process up to 10k URLs within minutes, completely eliminating local connection timeouts.
  • Structured Data: Use Olostep Parsers to skip raw HTML post-processing and return stable JSON directly.

If you are manually looping cURL commands and fighting curl: (60) ssl certificate problem, use Olostep to handle the underlying TLS complexity at scale.

Frequently Asked Questions

How do I make curl ignore a self-signed certificate?

Add the -k or --insecure flag to your command. For a secure, long-term fix, use --cacert /path/to/cert.pem to explicitly trust the self-signed certificate without disabling global validation.

Why does curl return exit code 60?

cURL error 60 (unable to get local issuer certificate) means your local machine lacks the necessary CA bundle to verify the server’s identity. Fix this by updating your operating system's CA certificates or specifying a trusted bundle via the --cacert flag.

What is the difference between curl --insecure and curl --proxy-insecure?

--insecure disables SSL verification for the final destination server. --proxy-insecure disables SSL verification only for the intermediate HTTPS proxy routing your traffic, preserving the destination server's security checks.

About the Author

Aadithyan Nair
Aadithyan Nair@aadithyanr_

Founding Engineer, Olostep · Dubai, AE

Aadithyan is a Founding Engineer at Olostep, focusing on infrastructure and GTM. He's been hacking on computers since he was 10 and loves building things from scratch (including custom programming languages and servers for fun). Before Olostep, he co-founded an ed-tech startup, did some first-author ML research at NYU Abu Dhabi, and shipped AI tools at Zecento, RAEN AI.

View all posts·Follow on X·Follow on LinkedIn

On this page

Read more

OlostepCompany

Proxy vs VPN: Differences, Use Cases, and Which to Choose

Compare a proxy vs VPN for privacy, IP masking, security, and automated web scraping. Learn what each tool does and exactly when to use it. URL Slug: /proxy-vs-vpn

OlostepCompany

Best Rank Tracking APIs: Cost, AI Visibility, Architecture

Compare the best rank tracking APIs by true cost, AI visibility, geo accuracy, and architecture. Choose the right API for real-time or batch workflows.

OlostepCompany

How to Bypass an IP Ban Without Guessing

Learn how to bypass an IP ban by diagnosing whether it’s a true IP block, rate limit, fingerprint ban, or shared-IP false positive.