How to Disable SSL Certificate Verification in cURL for Local HTTPS Development


3 views

When working with HTTPS endpoints during development, especially localhost servers with self-signed certificates, cURL will refuse connections by default. This security feature becomes a development obstacle when you just need to test API endpoints without proper certificates.

The simplest way to bypass certificate verification is using the -k or --insecure flag:

curl -k https://localhost/api/test
# or
curl --insecure https://localhost:8443/status

For more controlled scenarios, consider these methods:

1. Adding CA Certificates

If you have access to the certificate, add it to cURL's CA store:

curl --cacert /path/to/cert.pem https://localhost

2. Environment Variable Approach

For Node.js environments using node-fetch or similar:

process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";

3. Permanent Configuration

Add this to your ~/.curlrc file (Linux/Mac):

insecure

Remember these important points:

  • Never use insecure mode in production
  • Self-signed certificates should only be for development
  • Consider setting up proper local CA for development environments

If -k doesn't work, try:

curl --verbose --insecure https://localhost

This will show detailed SSL handshake information.

Here's a complete example with common options:

curl -X POST \
  --insecure \
  -H "Content-Type: application/json" \
  -d '{"test":true}' \
  https://localhost:3000/api/v1/test

When working with local development environments using HTTPS, you'll often encounter SSL certificate verification errors like:

curl: (51) SSL peer certificate or SSH remote key was not OK

This occurs because most local development servers use self-signed certificates that aren't trusted by default in cURL's certificate store.

The simplest way to bypass certificate verification is using the -k or --insecure flag:

curl -k https://localhost/api

This tells cURL to:

  • Connect to the HTTPS endpoint
  • Ignore all SSL certificate validation
  • Proceed with the request despite security warnings

For more controlled scenarios, consider these options:

1. Disabling Verification via Config File

Create or modify ~/.curlrc to include:

insecure

This applies the insecure flag to all cURL requests from your user.

2. Adding Certificate to Trust Store

For permanent solutions in development environments:

# Extract certificate
openssl s_client -connect localhost:443 -showcerts </dev/null | openssl x509 -outform PEM > localhost.pem

# Add to cURL's CA store
sudo cp localhost.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates

While disabling verification is convenient for development:

  • Never use -k in production code
  • This makes you vulnerable to MITM attacks
  • Consider proper certificate generation for local development

For those using cURL in different programming languages:

PHP Example

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://localhost");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$result = curl_exec($ch);

Python Example

import requests

response = requests.get('https://localhost', verify=False)
print(response.text)