There's a bunch of resources for this kind of thing. A single solution isn't always so straight forward as it varies greatly between configurations and the tech stack you're using. I'll provide a list of the most likely things you can try and see what works for you.
First off, some information regarding the problem:
Root certificates expire after so many years. Generally this is handled at the operating system level with upgrades. If you're on an older setup for extended periods of time, you may encounter the issue.
If you recently updated stuff, it's possible just refreshing the right services and/or rebooting can fix it.
You can grab a new root certificate bundle from https://curl.se/docs/caextract.html Download the cacert.pem file and move it somewhere onto your system. e.g. you can put it at the root level /cacert.pem etc.
You might also consider something more standard looking for Linux-based systems such as /etc/ssl/certs/cacert.pem or /usr/local/share/ca-certificates/ca-bundle.crt (you'd rename the cacert.pem to ca-bundle.crt for certain Linux distros)
It's possible that running a command such as one of the following may fix it afterwards:
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
Next up is to point PHP over so it can find the information.
Note you'll need to work on CLI and your web service's php.ini file separately (e.g. cli, fpm, apache2, httpd, etc)
/etc/php/7.4/cli/php.ini
/etc/php/7.4/fpm/php.ini
Ideally you'd use something of this form:
[curl]
curl.cainfo = /etc/ssl/certs/cacert.pem
[openssl]
openssl.cafile = /etc/ssl/certs/cacert.pem
Note that instead of working directly on the php.ini file, you can also work on files such as:
/etc/php.d/20-curl.ini
/etc/php.d/20-openssl.ini
This would work for the CLI without having to reboot or restarting any services. For Apache or similar web server service, you'll probably be going through fpm.
If you're going through fpm, run sudo systemctl restart php7.4-fpm alternatively sudo service php7.4-fpm refresh.
If you're not going through fpm, or even if you are it doesn't hurt, you can also refresh your web server service e.g. Apache. Depending on your Linux distro it would be one of these: sudo service apache2 refresh (e.g. Ubuntu) or sudo service httpd refresh (e.g. Amazon Linux). For other web services such as nginx, replace the httpd or apache2 with nginx, etc.
Note that if you still run into problems, you can always sidestep the issue just this opens you up to man in the middle attacks as you're basically saying trust all certificates:
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
You can also try to load the cacert.pem file directly for a particular request (don't do this long-term, but it can help with debugging):
curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/cacert.pem');
curl_setopt($ch, CURLOPT_CAPATH, '/etc/ssl/certs/cacert.pem');
Note that you can also do similar tricks (disabling validation or linking directly to the certificate) with file_get_contents by sending in a SSL context options: https://www.php.net/manual/en/context.ssl.php
Note there's a bunch of other options you can try such as updating the system's root certificates for your system.
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-expired-certificate/
https://www.hs-schmalkalden.de/en/university/faculties/faculty-of-electrical-engineering/studium/use-of-it/install-ca-certificates-on-linux-systems.html
Here's some similar questions which may help:
PHP - SSL certificate error: unable to get local issuer certificate
https://serverfault.com/questions/394815/how-to-update-curl-ca-bundle-on-redhat
https://serverfault.com/questions/699627/self-signed-certificates-create-problems-on-nginx-php
https://serverfault.com/questions/559571/install-a-root-certificate-in-centos-6
cURL error 60: SSL certificate: unable to get local issuer certificate
PHP cURL certificate error
How to get SSL certificate info with CURL in PHP?
If you're sitting on an older operating system, it's usually a sign to upgrade and/or move over to something newer if you can migrate over. If you can migrate then you essentially work around the problem.
If you run into trouble, you can always do some searching for your particular situation, assuming you understand the situation, and probably find a solution pretty easily.
There's plenty of resources out there for this kind of issue.
A word of caution, don't do anything too crazy that would mess up your system along the way. It's always a good idea to backup. Even more care should be taken if you're gonna be doing this in production. You might play around with a clone of the instance first, etc.
