You have to create a java keystore file with your letsencrypt cert and private key and give it a password for SSL to work with metabase. I applied the following command lines to achieve this:
openssl pkcs12 -export -in /etc/letsencrypt/live/foobar.com/fullchain.pem -inkey /etc/letsencrypt/live/foobar.com/privkey.pem -out /etc/apache2/keystore/foobar.com.p12 -password pass:YOURPASSWORDHERE
keytool -importkeystore -srckeystore /etc/apache2/keystore/foobar.com.p12 -srcstoretype pkcs12 -srcstorepass YOURPASSWORDHERE -destkeystore /etc/apache2/keystore/foobar.com.keystore -deststoretype jks -deststorepass YOURPASSWORDHERE
export MB_JETTY_SSL=“true”
export MB_JETTY_SSL_Port=“8443”
export MB_JETTY_SSL_Keystore="/etc/apache2/keystore/foobar.com.keystore"
export MB_JETTY_SSL_Keystore_Password=“YOURPASSWORDHERE”
Then ran
java -jar metabase.jar
and I was able to connect to metabase https on port 8443.
You’ll probably need to do this more than once as certbot rotates keys every 90 days by default. Or just write a script.