javadockerssljettymetabase

Error when using selfhosted (Jetty) Metabase with ssl inside docker container

I'm trying to setup a self hosted (Jetty) Metabase inside a docker container running with ssl enabled.

First I created the fullchain.pem and privkey.pem using the certbot, than converted to keystore.jks using this gist.

Then created a .env file that would be used for the --env-file docker flag:

MB_DB_FILE=/metabase/metabase.db
MB_JETTY_SSL=true
MB_JETTY_SSL_PORT=443
MB_JETTY_SSL_KEYSTORE=./keystore.jks
MB_JETTY_SSL_KEYSTORE_PASSWORD=my-pass

And tried to run:

docker run -p 80:3000 -v ~/metabase:/metabase --env-file "./prod.env" --name metabase metabase/metabase

But I got the following error:

ERROR metabase.core :: Metabase Initialization FAILED
java.net.SocketException: Permission denied
    at sun.nio.ch.Net.bind0(Native Method) ~[?:?]
    at sun.nio.ch.Net.bind(Unknown Source) ~[?:?]
    at sun.nio.ch.Net.bind(Unknown Source) ~[?:?]
    at sun.nio.ch.ServerSocketChannelImpl.bind(Unknown Source) ~[?:?]
    at sun.nio.ch.ServerSocketAdaptor.bind(Unknown Source) ~[?:?]
    at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:345) ~[metabase.jar:?]
    at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:310) ~[metabase.jar:?]
    at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80) ~[metabase.jar:?]

Solved by changing the SSL_PORT to 8443, so the new env file looks like this:

MB_DB_FILE=/metabase/metabase.db
MB_JETTY_SSL=true
MB_JETTY_SSL_PORT=8443
MB_JETTY_SSL_KEYSTORE=./keystore.jks
MB_JETTY_SSL_KEYSTORE_PASSWORD=my-pass

Deleted the old container and started a new one with the env file above but now I'm stuck on this error:

ERROR metabase.core :: Metabase Initialization FAILED
java.lang.IllegalStateException: /"./keystore.jks" is not a valid keystore

I've double checked if my .jks file is valid using this. And it is.

My questions are:

  1. Why can't I run it on 443
  2. Why is my keystore not valid?

Edit 1:

Following up Joakim's suggestion:

Changed to the absute path

MB_DB_FILE=/metabase-prod-data/metabase.db
MB_JETTY_SSL=true
MB_JETTY_SSL_PORT=8443
MB_JETTY_SSL_KEYSTORE=/root/services/metabase/setup/keystore.jks
MB_JETTY_SSL_KEYSTORE_PASSWORD=my-pass

Got this error:

ERROR metabase.core :: Metabase Initialization FAILED
java.lang.IllegalStateException: /root/services/metabase/setup/keystore.jks is not a valid keystore
Solution

  • why port 443 is not used is answered by @Joakim

    I also faced this issue for metabase initialisation. The error I was facing was that the keystore file at host is not accessible inside the docker container.

    I used docker-compose yml file. You can search for terminal based ways as well.

    I made it accessible by adding folder at host which has the certificate by using volume attribute.

    metabase:
   ...
    env_file:
      - ./config/metabase.env
    volumes:
      - <LOCAL_PATH>:<CONTAINER_PATH>

    Inside the environment path:

    MB_JETTY_SSL_KEYSTORE:<CONTAINER_PATH>/keystore.jks