Overview

Foundry Virtual Tabletop supports use of Secure Sockets Layer (SSL) connections in order to provide encrypted connections for users. The primary reason to configure SSL for Foundry VTT is to allow users to enable A/V Integration for Foundry VTT. For security reasons, browsers (such as Chrome or Firefox) will not let a website capture your camera and microphone unless that connection is secure, which means Foundry VTT needs to be accessed using https:// rather than http://.

Requirements

Configuring SSL is an advanced feature of Foundry VTT and requires technical configuration.

While it is not a difficult process to configure SSL for Foundry VTT, it does require an elevated level of technical knowledge in order to understand and troubleshoot some errors that may occur in the process. This article assumes you have familiarity with Port Forwarding, firewall configuration, and the use of the command-line tools for your operating system.

This process requires:

Configuring SSL

The most common reason users want to set up SSL configuration is in order to enable HTTPS support in Foundry VTT, you will need an SSL certificate. Certificates are most often generated as .pem files or as .cert and .keyfiles. There are two options for generating SSL certificates:

CA Signed Certificates
SSL certificates signed by a Certificate Authority (CA) provide an extra layer of verification and are considered genuine by all browsers, but often require the user to renew them regularly (most often: 90 days). CA Signed Certificates are legitimate and valid, but require you to have a domain name associated with your IP address that can be verified by a number of testing methods. Use of a CA Certificate saves your users a lot of manual configuration for access, but means you have to do the work instead.
Self-Signed Certificates
Self-Signed certificates are generated by you, and are normally only used for testing purposes. Using self-signed certificates require your users to manually accept the certificate, and many browsers will report self-signed certificates as not secure. Use of a Self-Signed Certificate offloads some of the work for configuration to your users, as they may have to configure their browser to allow acceptance of self-signed certificates from unverified hosts.

For a variety of reasons, it is recommended to use an SSL certificate generated by a trusted Certificate Authority wherever possible.

Obtaining a CA Signed Certificate

Most hosting providers offer them for a nominal fee or include them with your hosting package, so if you are hosting Foundry VTT via a remote-hosted server there is a reasonably good chance you can simply acquire the certificate.pem and privkey.pem files from your hosting provider, place them in your FVTT Config directory, and point Foundry VTT's configuration to them per Part 3 of this process as listed below.

If you are self-hosting there is a process for using the Certbot software (provided generously by Let's Encrypt and the Electronic Frontier Foundation Electronic Frontier Foundation) which will allow you to generate legitimate certificates through their verification process. Certbot is 100% free and can be configured for Windows 10, macOS, and most Linux distributions.

This process requires a Domain name. If you do not have a domain name, or you are hosting on your home computer via a residential internet service provider, consider using a Dynamic DNS provider. The process for setting up Dynamic DNS can be found in the Hosting Guide article.

Before you begin, be sure you have:

Note: CA Signed Certificates will last for 90-days before requiring renewal, and the EFF will email you a notification warning you of the pending expiration. If you are renewing your certificate, skip directly to the step 3!


Generating a SSL Cert using Certbot (Windows 10)

  1. Download the latest version of the Certbot installer for Windows at https://dl.eff.org/certbot-beta-installer-win32.exe
  2. Search the start menu for "command prompt", then right-click it and choose run as administrator
  3. In the Administrator Command Prompt, type: certbot certonly --standalone -d YOURDOMAINNAMEHERE(if you are renewing your existing certificates, usecertbot renewinstead)
  4. Wait for verification to complete (if it fails, please ensure you have port-forwarded TCP port 80 and TCP port 443 and opened those ports on your Windows Firewall)
  5. Once it has completed it will place a set of .pem files inC:\certbot\live\YOURDOMAINHERE\
  6. Copy the "fullchain.pem" and "privkey.pem" into the Config folder located inside your Foundry VTT User Data Folder (default location: %localappdata%\FoundryVTT\Config)
  7. Launch Foundry VTT and from the Setup menu, click the Configuration tab and change the following settings:
    Port: 443
    SSL Certificate: fullchain.pem
    SSL Key: privkey.pem
  8. Press "Save Changes", this will cause Foundry VTT to shut down.
  9. Relaunch Foundry VTT and it should now be using HTTPS.

Generating a SSL Cert using Certbot (macOS)

  1. Using Terminal, install the Homebrew Package Manager using the command:/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)
  2. Still using Terminal, use Homebrew to install the latest version of Certbot:brew install certbot
  3. From Terminal, type: certbot certonly --standalone -d YOURDOMAINNAMEHERE (if you are renewing your existing certificates, use certbot renew instead)
  4. Wait for verification to complete (if it fails, please ensure you have port-forwarded TCP port 80 and TCP port 443 and opened those ports on any firewall you may have enabled)
  5. Once it has completed it will place a set of .pem files in /etc/letsencrypt/live/YOURDOMAINHERE/
  6. Copy the "fullchain.pem" and "privkey.pem" into theConfigfolder located inside your Foundry VTT User Data Folder (default location:~/FoundryVTT/Library/Application Support/FoundryVTT/Config/)
  7. Launch Foundry VTT and from the Setup menu, click the Configuration tab and change the following settings:
    Port: 443
    SSL Certificate: fullchain.pem
    SSL Key: privkey.pem
  8. Press "Save Changes", this will cause Foundry VTT to shut down.
  9. Relaunch Foundry VTT and it should now be using HTTPS.

Generating a SSL Cert using Certbot (Linux)

  1. Using any terminal emulator or bash shell, Install Certbot using one of the appropriate command for your distribution:
    Arch-based: sudo pacman -S certbot

    Debian-based: sudo apt install certbot

    Fedora: sudo dnf install certbot
  2. For additional OS instructions, or installing via Snap, please view: https://certbot.eff.org/docs/install.html#operating-system-packages
  3. FromTerminal, type:certbot certonly --standalone -d YOURDOMAINNAMEHERE(if you are renewing your existing certificates, usecertbot renewinstead)
  4. Wait for verification to complete (if it fails, please ensure you have port-forwarded TCP port 80 and TCP port 443 and opened those ports on any firewall you may have enabled)
  5. Once it has completed it will place a set of .pem files in/etc/letsencrypt/live/YOURDOMAINHERE/
  6. Copy the "fullchain.pem" and "privkey.pem" into theConfigfolder located inside your Foundry VTT User Data Folder (default location:~/.local/share/FoundryVTT/Config/)
  7. Launch Foundry VTT and from the Setup menu, click the Configuration tab and change the following settings:
    Port: 443
    SSL Certificate: fullchain.pem
    SSL Key: privkey.pem
  8. Press "Save Changes", this will cause Foundry VTT to shut down.
  9. Relaunch Foundry VTT and it should now be using HTTPS.

Creating a Self-Signed Certificate

While creating your own SSL certificate can be easier to achieve, it does not guarantee security because it does not efficiently protect the data being transferred and potentially malicious third parties could still intercept and access the data. It is however still more secure than not having an SSL certificate and simply using http://

When using a self-signed certificate, your browser will warn your users that they are entering an unsecured site when they visit it for the first time and periodically after that. Users may need to used advanced configuration to allow their browsers to accept self-signed certificates, and will need to click on the "Advanced" button and then "Proceed" after reloading the site to accept the certificate. Here are some links which explain methods of creating a self-signed certificates for different platforms:

When creating a self-signed certificate, you can simply list the server name as localhost.

Using an Existing Certificate

To configure Foundry VTT to use the certificate you have created, you need to copy the certificate and the private key to your FVTT's Config directory, after which you can enter the file names in the SSL Cert and SSL Key fields on the Foundry VTT Setup menu. This can also be configured by directly editing the options.json file located in the Config folder. For example, suppose you have generated a SSL certificate file named localhost.cert and a SSL key file named localhost.key - you would place these files inside your Config folder and reference them within the options.json file as follows:

...
"sslCert": "localhost.cert",
"sslKey": "localhost.key",
...

Using a Reverse Proxy

If you configured your Foundry VTT to operate behind a reverse proxy provided by Apache, Caddy, or Nginx then all you need to do to have FVTT support https is to change one key within the options.jsonfile as follows:

...
"ProxySSL": true,
...

Once this configuration change has been made, Foundry VTT will operate using the SSL provided by your reverse proxy rather than requiring its own configuration and nothing further needs to be changed.