Installing Java7 on Debian Servers

Markus Stumpf
Tuesday, 22. January 2013
Tagein, tagaus
0
Trackback URL

Today I wanted to install Java7 JDK on a server with a very minimal Debian base installtion.

First of all add the WebUpd8 teams repository: (Thanks guys!)

$ sudo bash
# cd /etc/apt/sources.list.d/
# cat > webupd8team-java.list <<__EOF__
deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main
deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu precise main
__EOF__
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
# aptitude update
# aptitude install oracle-java7-installer

This is where the trouble started.

aptitude should install a package called oracle-java7-installer. The package starts a download from oracle.com. However wget fails, because of certificate validation errors:

Connecting to edelivery.oracle.com|23.57.114.174|:443... connected.
ERROR: cannot verify edelivery.oracle.com’s certificate, issued by
    “/C=US/O=Akamai Technologies Inc/CN=Akamai Subordinate CA 3”:
    Unable to locally verify the issuer’s authority.
To connect to edelivery.oracle.com insecurely, use ‘--no-check-certificate’.
download failed
Oracle JDK 7 is NOT installed.

Google'ing for the reason I found a lot of people having that problem, but all the "solutions" where oviously wrong like

delete apt caches and start from scratch
get it from somewhere else
...

The problem is clearly a certificate error and has nothing to do with the package or caches or anything else.

I had another machine where a wget https://edelivery.oracle.com/ had no certificate problems. So, where did wget on that machine get the certificate from?

$ cd /tmp
$ strace wget https://edelivery.oracle.com/ 2>&1 | fgrep open
  [ ... ]
open("/usr/lib/ssl/certs/4d654d1d.0", O_RDONLY) = 4
  [ ... ]

There we are, a hashed file that contains the certificate.

$ ls -l /usr/lib/ssl/certs/4d654d1d.0
lrwxrwxrwx 1 root root 30 Aug 3 17:28 /usr/lib/ssl/certs/4d654d1d.0 -> GTE_CyberTrust_Global_Root.pem
$ ls -l /usr/lib/ssl/certs/GTE_CyberTrust_Global_Root.pem
lrwxrwxrwx 1 root root 65 May 12  2011 /usr/lib/ssl/certs/GTE_CyberTrust_Global_Root.pem ->
        /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt

Ok, one step closer, but where is that file from? Let's see:

$ dpkg -S /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt
ca-certificates: /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt

So back to the other Debian box:

# sudo aptitude install ca-certificates

That still didn't fix the problem as the directory still did not exist and the links weren't in there and the hashes neither. A bit more google'ing and I have learned about c_rehash which is in the openssl package that is installed as a dependency of the ca-certificates package. And here are the final commands:

# mkdir /usr/lib/ssl/certs
# cd /usr/lib/ssl/certs
# chmod 755 .
# ln -s /usr/share/ca-certificates/mozilla/* .
# /usr/bin/c_rehash /usr/lib/ssl/certs
# aptitude install oracle-java7-installer

Et voila! Hope that helps!

Comments

No comments