Installing Java7 on Debian Servers

Today I wanted to install Java7 JDK on a server with a very minimal Debian base installtion.

First of all add the WebUpd8 teams repository: (Thanks guys!)

$ sudo bash
# cd /etc/apt/sources.list.d/
# cat > webupd8team-java.list <<__EOF__
deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main
deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu precise main
__EOF__
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
# aptitude update
# aptitude install oracle-java7-installer

This is where the trouble started.

aptitude should install a package called oracle-java7-installer. The package starts a download from oracle.com. However wget fails, because of certificate validation errors:

Connecting to edelivery.oracle.com|23.57.114.174|:443... connected.
ERROR: cannot verify edelivery.oracle.com’s certificate, issued by
    “/C=US/O=Akamai Technologies Inc/CN=Akamai Subordinate CA 3”:
    Unable to locally verify the issuer’s authority.
To connect to edelivery.oracle.com insecurely, use ‘--no-check-certificate’.
download failed
Oracle JDK 7 is NOT installed.

Google'ing for the reason I found a lot of people having that problem, but all the "solutions" where oviously wrong like

• delete apt caches and start from scratch
• get it from somewhere else
• ...

The problem is clearly a certificate error and has nothing to do with the package or caches or anything else.

I had another machine where a wget https://edelivery.oracle.com/ had no certificate problems. So, where did wget on that machine get the certificate from?

$ cd /tmp
$ strace wget https://edelivery.oracle.com/ 2>&1 | fgrep open
  [ ... ]
open("/usr/lib/ssl/certs/4d654d1d.0", O_RDONLY) = 4
  [ ... ]

There we are, a hashed file that contains the certificate.

$ ls -l /usr/lib/ssl/certs/4d654d1d.0
lrwxrwxrwx 1 root root 30 Aug 3 17:28 /usr/lib/ssl/certs/4d654d1d.0 -> GTE_CyberTrust_Global_Root.pem
$ ls -l /usr/lib/ssl/certs/GTE_CyberTrust_Global_Root.pem
lrwxrwxrwx 1 root root 65 May 12  2011 /usr/lib/ssl/certs/GTE_CyberTrust_Global_Root.pem ->
        /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt

Ok, one step closer, but where is that file from? Let's see:

$ dpkg -S /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt
ca-certificates: /usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt

So back to the other Debian box:

# sudo aptitude install ca-certificates

That still didn't fix the problem as the directory still did not exist and the links weren't in there and the hashes neither. A bit more google'ing and I have learned about c_rehash which is in the openssl package that is installed as a dependency of the ca-certificates package. And here are the final commands:

# mkdir /usr/lib/ssl/certs
# cd /usr/lib/ssl/certs
# chmod 755 .
# ln -s /usr/share/ca-certificates/mozilla/* .
# /usr/bin/c_rehash /usr/lib/ssl/certs
# aptitude install oracle-java7-installer

Et voila! Hope that helps!