SSL For Java Installation (with Cloudflare)


#1

Hello there

I’ve installed Metabase using the Java edition on my Ubuntu server. Can someone please teach me how to set it up so that my metabase runs on https? Is there a guide I can follow for this please?


WIKI: Setup and configuration in different environments
#2

Have a look here:


#3

Thanks so much Joe!


#4

Hey Joe (and anyone else who’s reading this)

I’ve managed to generate a jks file with the crt files issued by my SSL provider. Also managed to startup metabase successfully with the correct environment variables.

However when I try to access my site through HTTPS chrome returns an error saying cipher mismatch.

Where should I look to debug this problem?


#5

First thing I would try is to use another browser. Chrome has been more picky about HTTPS lately (for good reasons).

What is the exact error message you get? What does a google search for that suggest?

I tried a quick search for chrome cipher mismatch (which is all you gave us to work with til now) and it came up with both suggestions for what to try on chrome itself but also e.g. stuff pointing to the certificate and not cipher mismatches like https://community.spiceworks.com/topic/857680-err_ssl_version_or_cipher_mismatch-on-internal-website-only-on-chrome

A cipher mismatch btw is that the server and browser do not agree on one of the “cipher suites” they both offer to work with. I usually use https://www.ssllabs.com/ssltest/ for investigating if HTTPS is setup correctly on a server. It has a section on what cipher suites a server offers to work with. There are also other tools if you’re not able to expose your server to the internet.

There are ways to configure Jetty (the web server embedded into Metabase). But let’s wait going there until the problem has been narrowed down :slightly_smiling_face:

Hope this helps for a start. Now tell us what you tried of the above and what outcome it gave. Then we can take it from there!


#6

Wow thanks Joe!

Ok so now I’m gonna test 2 things:

  1. Load with Chrome and share screenshot
  2. Load with Firefox and share screenshot
  3. Use https://www.ssllabs.com/ssltest/ and share results

Give me 10 minutes, I’ll be right back!


#7

Metabase is running now, using:

sudo MB_ENCRYPTION_SECRET_KEY=‘xxxx’ MB_JETTY_SSL=“true” MB_JETTY_SSL_Port=“8443” MB_JETTY_SSL_Keystore="./keystore.jks" MB_JETTY_SSL_Keystore_Password=“xxxx” java -jar metabase.jar


#8

Somehow, I’m not getting the cipher mismatch right now. I’m just getting a 521 error. Both Chrome and Firefox gave the same error.


#9

I just ran a test on SSLlabs.com, and got the following results:


#10

@jornh Sorry for the multiple posts, but my new account on Discourse won’t allow me to post multiple images in one post. But this is where I’m stuck.


#11

OK, @felixsim I see you have setup your server behind some cloudflare service. I’ve never worked with cloudflare - so I guess what you want to follow is the documentation from cloudflare.

I noted one thing though: Following the Metabase HTTPS guide linked above you set MB_JETTY_SSL_Port=“8443”. But if I go the the cloudflare Error 521 screen URL in you screenshot in SSL For Java Installation (with Cloudflare) above

There’s a link Additional Troubleshooting information - pointing to:

On that page it’s stated that they expect your server (Metabase) to respond on either port 80 or port 443. So try to change your Metabase start to use MB_JETTY_SSL_Port=“443”


#12

Progress! Changing the port to 443 worked! But strangely the main page is fully secure. However when I open a dashboard or question, I get an error that it may not be fully secure.

Any thoughts?


#13


#14

#15

Yeap. Already changed to https but same problem persists. See screenshot:


#16

Good that you got that already (and also sad because then there’s a remaining problem that’s not that obvious :stuck_out_tongue_closed_eyes: )

My best suspicion right now reading the fine print in SSL For Java Installation (with Cloudflare) above is: “is the crypto currencies image I see in that screenshot maybe still served from a http address?”


#17

You are a genius. Changed that in the text box to https image and it works perfectly now. Thanks so much for helping me with this. I truly appreciate it and hope others found this useful as well!