"No system CA bundle could be found" on Google App Engine on localhost

Question

I'm working on an app that I'll be running in the Google App Engine (GAE) that needs to access the GDrive API. When it's running up in the cloud, I'm able to use my special domain-wide authorization so that my users are automatically authenticated and I can use the gdrive api without any problems. That works very well.

However, when testing on localhost, the domain-wide auth won't work because we localhost doesn't actually authenticate your Google Account, you're just allowed to claim to be anyone you want. So, what I'm doing is instantiating my google $client differently on localhost and in the GAE. In the GAE, I use the special domain-wide auth, on localhost then I'm using the traditional Google Client configuration with a client id, client secret, oauth token processing, etc.

I redirect to Google, I tell Google to allow access, and then Google redirects me back to localhost to finalize the oauth process. When I take the code from google and call:

$client->authenticate($authcode);

I get an SSL error about a missing CA bundle.

No system CA bundle could be found in any of the the common system locations. PHP versions earlier than 5.6 are not properly configured to use the system's CA bundle by default. In order to verify peer certificates, you will need to supply the path on disk to a certificate bundle to the 'verify' request option: http://docs.guzzlephp.org/en/latest/clients.html#verify. If you do not need a specific certificate bundle, then Mozilla provides a commonly used CA bundle which can be downloaded here (provided by the maintainer of cURL): https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt. Once you have a CA bundle available on disk, you can set the 'openssl.cafile' PHP ini setting to point to the path to the file, allowing you to omit the 'verify' request option. See http://curl.haxx.se/docs/sslcerts.html for more information.

I've downloaded the .crt file and I've also tried downloading their .pem file and I've tried configuring my php.ini in several fashions to make it use those files...

openssl.cafile="/path/to/ca-bundle.crt"

or

openssl.cafile="/path/to/cacert.pem"

or

curl.cainfo="/path/to/ca-bundle.crt"

or

curl.cainfo="/path/to/cacert.pem"

But none of them seem to work or make a difference. What am I missing?

EDIT:

Telling me to authenticate the same on production and localhost means that you don't understand what I'm asking or the reason why I need to use the client. My question is about the certificates.

Answer 1

I finally found a solution from this answer, please go vote up their answer.

Looking through Google and Guzzle's code you might need to specify where the certificate bundle can be found by doing something like the following when you setup the Google Client and before your authenticate() call:

$client->setHttpClient(new GuzzleHttp\Client(['verify'=>'path\to\your\cert-bundle']));

This will override the default behavior and let you specify where the bundle is.