I found the magic incantation. Leaving it here in case it helps someone in the future:
$ openssl pkcs12 -export -in /path/to/letsencrypt/live/www.you.com/fullchain.pem -inkey /path/to/letsencrypt/live/www.you.com/privkey.pem -out cert.pkcs12 Enter Export Password: <pick a password> Verifying - Enter Export Password: <same password> $ keytool -importkeystore -destkeystore <your keystore name> -srckeystore cert.pkcs12 -srcstoretype PKCS12 Enter destination keystore password: <USE THE SAME PASSWORD> Re-enter new password: <...again...> Enter source keystore password: <and again> Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled export MB_DB_FILE=/var/www/mbapp/metabase-data/metabase.db export MB_JETTY_HOST=0.0.0.0 export MB_JETTY_SSL="true" export MB_JETTY_SSL_PORT="8800" export MB_JETTY_SSL_KEYSTORE="/var/www/mbapp/metabase-data/new_keystore.jks" export MB_JETTY_SSL_KEYSTORE_PASSWORD=<same password from previous steps> java -jar metabase.jar
Once I did this, Metabase launched & I could reach it at https://
The server I’m working on has an existing letencrypt setup, and I am now trying to piggyback off that. After much fumbling around with google to try to figure out what a certificate is, how to find it in my filesystem, what a keystore is, how to combine pems into a certificate that I can then import into a keystore…
I finally got all the commands to complete without throwing errors, and got Metabase to launch per the docs:
cat letsencrypt.crt letencrypt.key > mb.pem keytool -importcert -file mb.pem -alias mbapp -keystore mbapp.jks export MB_DB_FILE=/var/www/mbapp/metabase-data/metabase.db export MB_JETTY_HOST=0.0.0.0 export MB_JETTY_SSL="true" export MB_JETTY_SSL_PORT="8800" export MB_JETTY_SSL_KEYSTORE="/var/www/mbapp/metabase-data/mbapp.jks" export MB_JETTY_SSL_KEYSTORE_PASSWORD="redacted" java -jar metabase.jar
All the messages scrolled by without errors, and everything looked to have started correctly, but I can’t connect to my app at https://server:8800, it gives the error in the title. I know the cert itself is good, because 2 other services on that machine are serving https requests using it.
I am definitely a bit out of my depth, as I rarely (if ever) have touched these kinds of configs in the past. Perhaps I combined the cert & key wrong; or imported the combined certificates wrong? Any help is appreciated! Thanks!
(I maybe should note that there is no single overarching server with a document root at /var/www - there are a collection of little servers, I just put things in /var/www to keep it contained.)