Use let's encrypt with Metabase (Java Webserver)


#1

I’m using Metabase for a private dashboard which is however accessible over the internet, therefore I would like to secure it with a certificate from let’s encrypt as it is free. I’m curious if it’s possible to create a certificate for the Metabase Java Webserver? Or is there any other solution which is recommendable?


#2

I use a apache2 server for ssl termination and as proxy.
in apache2 i configured a virtual host for ssl connections to metabase.mydomain.com. with certbot for apache2 i signed the ssl certificate.
the proxy configuration for the virtual host looks like that:

ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/


#3

You can terminate at the MB webserver –
see http://www.metabase.com/docs/latest/operations-guide/start.html#using-https-with-metabase


#4

I chose a different approach, I self signed a certificate and now use it with metabase directly, it works perfectly.


#5

You have to create a java keystore file with your letsencrypt cert and private key and give it a password for SSL to work with metabase. I applied the following command lines to achieve this:

openssl pkcs12 -export -in /etc/letsencrypt/live/foobar.com/fullchain.pem -inkey /etc/letsencrypt/live/foobar.com/privkey.pem -out /etc/apache2/keystore/foobar.com.p12 -password pass:YOURPASSWORDHERE

keytool -importkeystore -srckeystore /etc/apache2/keystore/foobar.com.p12 -srcstoretype pkcs12 -srcstorepass YOURPASSWORDHERE -destkeystore /etc/apache2/keystore/foobar.com.keystore -deststoretype jks -deststorepass YOURPASSWORDHERE

export MB_JETTY_SSL=“true”
export MB_JETTY_SSL_Port=“8443”
export MB_JETTY_SSL_Keystore="/etc/apache2/keystore/foobar.com.keystore"
export MB_JETTY_SSL_Keystore_Password=“YOURPASSWORDHERE”

Then ran

java -jar metabase.jar

and I was able to connect to metabase https on port 8443.

You’ll probably need to do this more than once as certbot rotates keys every 90 days by default. Or just write a script.