UPDATE
I found the magic incantation. Leaving it here in case it helps someone in the future:
$ openssl pkcs12 -export -in /path/to/letsencrypt/live/www.you.com/fullchain.pem -inkey /path/to/letsencrypt/live/www.you.com/privkey.pem -out cert.pkcs12
Enter Export Password: <pick a password>
Verifying - Enter Export Password: <same password>
$ keytool -importkeystore -destkeystore <your keystore name> -srckeystore cert.pkcs12 -srcstoretype PKCS12
Enter destination keystore password: <USE THE SAME PASSWORD>
Re-enter new password: <...again...>
Enter source keystore password: <and again>
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
export MB_DB_FILE=/var/www/mbapp/metabase-data/metabase.db
export MB_JETTY_HOST=0.0.0.0
export MB_JETTY_SSL="true"
export MB_JETTY_SSL_PORT="8800"
export MB_JETTY_SSL_KEYSTORE="/var/www/mbapp/metabase-data/new_keystore.jks"
export MB_JETTY_SSL_KEYSTORE_PASSWORD=<same password from previous steps>
java -jar metabase.jar
Once I did this, Metabase launched & I could reach it at https://
Original Post
The server I’m working on has an existing letencrypt setup, and I am now trying to piggyback off that. After much fumbling around with google to try to figure out what a certificate is, how to find it in my filesystem, what a keystore is, how to combine pems into a certificate that I can then import into a keystore…
I finally got all the commands to complete without throwing errors, and got Metabase to launch per the docs:
cat letsencrypt.crt letencrypt.key > mb.pem
keytool -importcert -file mb.pem -alias mbapp -keystore mbapp.jks
export MB_DB_FILE=/var/www/mbapp/metabase-data/metabase.db
export MB_JETTY_HOST=0.0.0.0
export MB_JETTY_SSL="true"
export MB_JETTY_SSL_PORT="8800"
export MB_JETTY_SSL_KEYSTORE="/var/www/mbapp/metabase-data/mbapp.jks"
export MB_JETTY_SSL_KEYSTORE_PASSWORD="redacted"
java -jar metabase.jar
All the messages scrolled by without errors, and everything looked to have started correctly, but I can’t connect to my app at https://server:8800, it gives the error in the title. I know the cert itself is good, because 2 other services on that machine are serving https requests using it.
I am definitely a bit out of my depth, as I rarely (if ever) have touched these kinds of configs in the past. Perhaps I combined the cert & key wrong; or imported the combined certificates wrong? Any help is appreciated! Thanks!
(I maybe should note that there is no single overarching server with a document root at /var/www - there are a collection of little servers, I just put things in /var/www to keep it contained.)