Overview
Foundry Virtual Tabletop supports use of Secure Sockets Layer (SSL) connections in order to provide encrypted connections for users. The primary reason to configure SSL for Foundry VTT is to allow users to enable A/V Integration for Foundry VTT. For security reasons, browsers (such as Chrome or Firefox) will not let a website capture your camera and microphone unless that connection is secure, which means Foundry VTT needs to be accessed using https:// rather than http://.
Requirements
Configuring SSL is an advanced feature of Foundry VTT and requires technical configuration.
While it is not a difficult process to configure SSL for Foundry VTT, it does require an elevated level of technical knowledge in order to understand and troubleshoot some errors that may occur in the process. This article assumes you have familiarity with Port Forwarding, firewall configuration, and the use of the command-line tools for your operating system.
This process requires:
- A domain name or Dynamic DNS service (if using CA Signed Certificates)
- Installation of some software utilities (free)
- Administrator access to your operating system
Configuring SSL
The most common reason users want to set up SSL configuration is in order to enable HTTPS support in Foundry VTT, you will need an SSL certificate. Certificates are most often generated as .pem
files or as .cert
and .key
files. There are two options for generating SSL certificates:
- CA Signed Certificates
- SSL certificates signed by a Certificate Authority (CA) provide an extra layer of verification and are considered genuine by all browsers, but often require the user to renew them regularly (most often: 90 days). CA Signed Certificates are legitimate and valid, but require you to have a domain name associated with your IP address that can be verified by a number of testing methods. Use of a CA Certificate saves your users a lot of manual configuration for access, but means you have to do the work instead.
- Self-Signed Certificates
- Self-Signed certificates are generated by you, and are normally only used for testing purposes. Using self-signed certificates require your users to manually accept the certificate, and many browsers will report self-signed certificates as not secure. Use of a Self-Signed Certificate offloads some of the work for configuration to your users, as they may have to configure their browser to allow acceptance of self-signed certificates from unverified hosts.
For a variety of reasons, it is recommended to use an SSL certificate generated by a trusted Certificate Authority wherever possible.
Obtaining a CA Signed Certificate
Most hosting providers offer them for a nominal fee or include them with your hosting package, so if you are hosting Foundry VTT via a remote-hosted server there is a reasonably good chance you can simply acquire the certificate.pem and privkey.pem files from your hosting provider, place them in your FVTT Config directory, and point Foundry VTT's configuration to them per Part 3 of this process as listed below.
If you are self-hosting there is a process for using the Certbot software (provided generously by Let's Encrypt and the Electronic Frontier Foundation Electronic Frontier Foundation) which will allow you to generate legitimate certificates through their verification process. Certbot is 100% free and can be configured for Windows, macOS, and most Linux distributions.
This process requires a Domain name. If you do not have a domain name, or you are hosting on your home computer via a residential internet service provider, consider using a Dynamic DNS provider. The process for setting up Dynamic DNS can be found in the Hosting Guide article.
Before you begin, be sure you have:
- A Domain name
- A Port Forwarding rule configured to direct traffic on port 80 and 443 to the computer on which you are hosting FVTT
- Any firewall software you are using configured to allow traffic on port 80 and 443
- Administrator permissions for your computer
Note: CA Signed Certificates will last for 90-days before requiring renewal, and the EFF will email you a notification warning you of the pending expiration. If you are renewing your certificate, skip directly to the step 3!
Generating a SSL Cert using Certbot (Windows 10 or 11)
- Download the latest version of the Certbot installer for Windows at https://dl.eff.org/certbot-beta-installer-win32.exe
- Search the start menu for "command prompt", then right-click it and choose run as administrator
- In the Administrator Command Prompt, type:
certbot certonly --standalone -d YOURDOMAINNAMEHERE
(if you are renewing your existing certificates, usecertbot renew
instead)- Wait for verification to complete (if it fails, please ensure you have port-forwarded TCP port 80 and TCP port 443 and opened those ports on your Windows Firewall)
- Once it has completed it will place a set of .pem files inC:\certbot\live\YOURDOMAINHERE\
- Copy the "fullchain.pem" and "privkey.pem" into the Config folder located inside your Foundry VTT User Data Folder (default location: %localappdata%\FoundryVTT\Config)
- Launch Foundry VTT and from the Setup menu, click the Configuration tab and change the following settings:
Port: 443
SSL Certificate: fullchain.pem
SSL Key: privkey.pem- Press "Save Changes", this will cause Foundry VTT to shut down.
- Relaunch Foundry VTT and it should now be using HTTPS.
Generating a SSL Cert using Certbot (macOS)
- Using Terminal, install the Homebrew Package Manager using the command:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
- Still using Terminal, use Homebrew to install the latest version of Certbot:
brew install certbot
- From Terminal, type:
certbot certonly --standalone -d YOURDOMAINNAMEHERE
(if you are renewing your existing certificates, usecertbot renew
instead)- Wait for verification to complete (if it fails, please ensure you have port-forwarded TCP port 80 and TCP port 443 and opened those ports on any firewall you may have enabled)
- Once it has completed it will place a set of .pem files in /etc/letsencrypt/live/YOURDOMAINHERE/
- Copy the "fullchain.pem" and "privkey.pem" into theConfigfolder located inside your Foundry VTT User Data Folder (default location:~/FoundryVTT/Library/Application Support/FoundryVTT/Config/)
- Launch Foundry VTT and from the Setup menu, click the Configuration tab and change the following settings:
Port: 443
SSL Certificate: fullchain.pem
SSL Key: privkey.pem- Press "Save Changes", this will cause Foundry VTT to shut down.
- Relaunch Foundry VTT and it should now be using HTTPS.
Generating a SSL Cert using Certbot (Linux)
- Using any terminal emulator or bash shell, Install Certbot using one of the appropriate command for your distribution:
Arch-based:sudo pacman -S certbot
Debian-based:sudo apt install certbot
Fedora:sudo dnf install certbot
- For additional OS instructions, or installing via Snap, please view: https://certbot.eff.org/docs/install.html#operating-system-packages
- FromTerminal, type:
certbot certonly --standalone -d YOURDOMAINNAMEHERE
(if you are renewing your existing certificates, usecertbot renew
instead)- Wait for verification to complete (if it fails, please ensure you have port-forwarded TCP port 80 and TCP port 443 and opened those ports on any firewall you may have enabled)
- Once it has completed it will place a set of .pem files in/etc/letsencrypt/live/YOURDOMAINHERE/
- Copy the "fullchain.pem" and "privkey.pem" into theConfigfolder located inside your Foundry VTT User Data Folder (default location:~/.local/share/FoundryVTT/Config/)
- Launch Foundry VTT and from the Setup menu, click the Configuration tab and change the following settings:
Port: 443
SSL Certificate: fullchain.pem
SSL Key: privkey.pem- Press "Save Changes", this will cause Foundry VTT to shut down.
- Relaunch Foundry VTT and it should now be using HTTPS.
Creating a Self-Signed Certificate
While creating your own SSL certificate can be easier to achieve, it does not guarantee security because it does not efficiently protect the data being transferred and potentially malicious third parties could still intercept and access the data. It is however still more secure than not having an SSL certificate and simply using http://
When using a self-signed certificate, your browser will warn your users that they are entering an unsecured site when they visit it for the first time and periodically after that. Users may need to used advanced configuration to allow their browsers to accept self-signed certificates, and will need to click on the "Advanced" button and then "Proceed" after reloading the site to accept the certificate. Here are some links which explain methods of creating a self-signed certificates for different platforms:
-
Online Tool : https://selfsigned.org/
-
Windows: https://medium.com/the-new-control-plane/generating-self-signed-certificates-on-windows-7812a600c2d8
-
Linux: https://linuxize.com/post/creating-a-self-signed-ssl-certificate/
-
macOS: https://support.apple.com/guide/keychain-access/create-self-signed-certificates-kyca8916/mac
When creating a self-signed certificate, you can simply list the server name as localhost
.
Using an Existing Certificate
To configure Foundry VTT to use the certificate you have created, you need to copy the certificate and the private key to your FVTT's Config directory, after which you can enter the file names in the SSL Cert and SSL Key fields on the Foundry VTT Setup menu. This can also be configured by directly editing the options.json file located in the Config folder. For example, suppose you have generated a SSL certificate file named localhost.cert
and a SSL key file named localhost.key
- you would place these files inside your Config
folder and reference them within the options.json
file as follows:
...
"sslCert": "localhost.cert",
"sslKey": "localhost.key",
...
Using a Reverse Proxy
If you configured your Foundry VTT to operate behind a reverse proxy provided by Apache, Caddy, or Nginx then all you need to do to have FVTT support https is to change one key within the options.json
file as follows:
...
"ProxySSL": true,
...
Once this configuration change has been made, Foundry VTT will operate using the SSL provided by your reverse proxy rather than requiring its own configuration and nothing further needs to be changed.