How to fix Rackspace PHP-Opencloud certificate authority error

Error response from Guzzle:

Guzzle\Http\Exception\CurlException: [curl] 60: Peer's Certificate issuer is not recognized.

I'm putting this here as a simple guide for anyone else experiencing this error.

In my case, I was using the league/flysystem-rackspace Composer library to connect to Rackspace's block file storage to upload and retrieve files. This library requires rackspace/php-opencloud.

The Problem:

Rackspace's PHP-Opencloud library uses Guzzle3 which is now deprecated. Initially this wasn't a problem, but then Rackspace rotated out its certificate authority .pem file this spring (May-ish 2018), and thus we got a mismatch error and cURL stopped recognizing the certificate.

The Solution:

Simply put, you need to replace Guzzle3's local cacert.pem file. However, because this outdated library is included via Composer we can't simply replace this on the server as it will be overwritten when you next deploy.

Rackspace's new cacert.pem file can be found here:

https://curl.haxx.se/ca/cacert.pem

Got this link from the Rackspace forum post here:

https://community.rackspace.com/products/f/dedicated-hybrid-hosting-forum/8674/rackspace-public-cloud-php-opencloud-sdk-errors-due-to-outdated-certificate-authority-list

You need to store this file somewhere on your server, and it's probably best if it is somewhere not accessible to the web. Let's say /var/resources for the sake of this guide.

You then need to create a hook in your deployment process that executes after Composer dependencies have finished. If you're using Envoyer.io then it's as simple as this:

cd {{release}}
rm -f vendor/guzzle/guzzle/src/Guzzle/Http/Resources/cacert.pem
cp -f /var/resources/cacert.pem vendor/guzzle/guzzle/src/Guzzle/Http/Resources/cacert.pem

Now the error is gone. Isn't that nice?

If I've missed something in here or could stand to add more details please let me know.