SOLVED: Setting up HTTPS, now getting error SSL_ERROR_NO_CYPHER_OVERLAP


I found the magic incantation. Leaving it here in case it helps someone in the future:

$ openssl pkcs12 -export -in /path/to/letsencrypt/live/ -inkey /path/to/letsencrypt/live/ -out cert.pkcs12
Enter Export Password: <pick a password>
Verifying - Enter Export Password: <same password>

$ keytool -importkeystore -destkeystore <your keystore name> -srckeystore cert.pkcs12 -srcstoretype PKCS12
Enter destination keystore password: <USE THE SAME PASSWORD>  
Re-enter new password: <...again...>
Enter source keystore password: <and again>

Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

export MB_DB_FILE=/var/www/mbapp/metabase-data/metabase.db
export MB_JETTY_SSL="true"
export MB_JETTY_SSL_PORT="8800"
export MB_JETTY_SSL_KEYSTORE="/var/www/mbapp/metabase-data/new_keystore.jks" 
export MB_JETTY_SSL_KEYSTORE_PASSWORD=<same password from previous steps>
java -jar metabase.jar

Once I did this, Metabase launched & I could reach it at https://

Original Post
The server I’m working on has an existing letencrypt setup, and I am now trying to piggyback off that. After much fumbling around with google to try to figure out what a certificate is, how to find it in my filesystem, what a keystore is, how to combine pems into a certificate that I can then import into a keystore…

I finally got all the commands to complete without throwing errors, and got Metabase to launch per the docs:

cat letsencrypt.crt letencrypt.key > mb.pem
keytool -importcert -file mb.pem -alias mbapp -keystore mbapp.jks
export MB_DB_FILE=/var/www/mbapp/metabase-data/metabase.db
export MB_JETTY_SSL="true"
export MB_JETTY_SSL_PORT="8800"
export MB_JETTY_SSL_KEYSTORE="/var/www/mbapp/metabase-data/mbapp.jks" 
java -jar metabase.jar

All the messages scrolled by without errors, and everything looked to have started correctly, but I can’t connect to my app at https://server:8800, it gives the error in the title. I know the cert itself is good, because 2 other services on that machine are serving https requests using it.

I am definitely a bit out of my depth, as I rarely (if ever) have touched these kinds of configs in the past. Perhaps I combined the cert & key wrong; or imported the combined certificates wrong? Any help is appreciated! Thanks!

(I maybe should note that there is no single overarching server with a document root at /var/www - there are a collection of little servers, I just put things in /var/www to keep it contained.)

Hi @AccurateHamilton
Make your life easier and just use a reverse-proxy in front of Metabase and handle the certificate stuff there.

I don’t control the certificates or the other apps that rely on them and can’t make any change to that part of the system.

@AccurateHamilton Well, then you’ll have to make sure you’re using updated Java versions and correct keytool arguments:

And check the log, since it might have some extra information - or you can enable debug/trace logging if you’re not getting enough information:

I got it working, have updated the title & original post with details. Thanks for your help!