Unable to add SSL certificate to Metabase

Get Help
1

We need to secure our Metabase site with an SSL certificate. I've followed the instructions mentioned here: Redirecting…

I've used the follow docker command to create the container:
sudo docker run -d -p 443:8443 -e "MB_DB_TYPE=postgres" -e "MB_DB_DBNAME=metabase" -v /home/ccc_azureuser:/keystore -e "MB_JETTY_SSL=true" -e "MB_JETTY_SSL_PORT=8443" -e "MB_JETTY_SSL_KEYSTORE=/keystore/CCC.keystore" -e "MB_JETTY_SSL_KEYSTORE_PASSWORD=xxxxxxx" -e "MB_DB_PORT=5432" -e "MB_DB_USER=postgres" -e "MB_DB_PASS=xxxxxx" -e "MB_DB_HOST=x.x.x.x" --name metabasessl metabase/metabase-enterprise

Screenshot of the file system inside the container showing the mounted keystore volume location in the correct location:

image
image777×439 101 KB

Screenshot of the docker image config:

image
image1366×50 3.98 KB

The docker logs show no errors but the page throws this error when you go to access it:

image
image1279×470 11.3 KB

Running the keytool -list -keystore CCC.keystore -v command verifies the certificates validity and it's a copy of a wildcard cert used on other resources without error.

Can you offer any assistance with this?

2

Sure, first of all it seems that you're trying Metabase Enterprise. We provide support for testers of the Enteprise edition if needed.

Regarding this issue: which domain you generated the certificate for and why are you using an IP address to connect to Metabase instead of a hostname?

I would strongly suggest that you do this with a reverse proxy rather than using JETTY directly to do SSL termination (the reverse proxy is faster, you can do HTTP/2, and you don't use the precious resources of Metabase for encrypting/decrypting traffic)

here's a docker-compose of the solution I would do in your case:

version: '3.7'
services:
  metabase-reverse:
    image: metabase/metabase-enterprise:v1.41.0
    #image: metabase/metabase:v0.41.0
    container_name: metabase-reverse
    hostname: metabase-reverse
    volumes: 
    - /dev/urandom:/dev/random:ro
    #ports:
    #  - 3000:3000
    networks: 
      - metanet-private
  nginx:
    image: nginx:1.21.3-alpine
    hostname: nginx
    container_name: nginx
    volumes: 
      - $PWD/nginx.conf:/etc/nginx/conf.d/default.conf
    networks:
      - metanet-private
      - metanet-public
    ports:
      - 8081:80
    depends_on: 
      - metabase-reverse
networks: 
  metanet-private:
    driver: bridge
  metanet-public:
    driver: bridge

(you need to create the nginx.conf)

also, it seems that you're using Azure, we have a guide for deploying on Azure and they'll do the SSL termination as well: https://www.metabase.com/docs/latest/operations-guide/running-metabase-on-azure.html

3

Thank you! I have implemented the nginx solution with success.