When configuring new server at linode hosting I decided to try to use OpenJDK to run Tomcat. The system I installed was Debian Lenny.

It all went smoothly and I didn’t have any problems, until I tried to deploy application using Facebook API. I immediately have faced a problem when trying to login using Facebook – javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.

Application was based on Grails and used HTTPBuilder to do requests. It uses Apache HttpClient under the hood.

Googling revealed some workarounds for the problem, but they all required hacking some additional code to override SSL certificates validity checks. The matter was that the same exception appeared when one tried to connect to server with self-signed certificate.

However it wasn’t the case for me as Facebook’s certificate wasn’t self-sgned of course :) So I dug further. It turned out that for some reason OpenJDK in Debian Lenny was installed without any CA (certificate authorities). Also it looked like Debian Squeeze solves this problem.

So the solution for Debian Lenny is simple – download and install appropriate packages from Squeeze . Good news is that certificates come in their own packages:

wget "http://ftp.us.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20090814+nmu2_all.deb"
sudo dpkg -i ca-certificates_20090814+nmu2_all.deb
wget "http://ftp.us.debian.org/debian/pool/main/c/ca-certificates-java/ca-certificates-java_20100412_all.deb"
sudo dpkg -i ca-certificates-java_20100412_all.deb

ca-certificates is available in Lenny, but it needs to be updated as a dependency to ca-certificates-java