ante-erp-cli 1.11.60 → 1.11.62

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ante-erp-cli",
-  "version": "1.11.60",
+  "version": "1.11.62",
   "description": "Comprehensive CLI tool for managing ANTE ERP self-hosted installations",
   "type": "module",
   "bin": {

package/src/commands/set-domain.js

@@ -914,64 +914,116 @@ export async function setDomain(options) {
               }
             }
 
+            // Track successful and failed domains
+            const successfulDomains = [];
+            const failedDomains = [];
+
+            // Frontend and API are mandatory - they must succeed
+            const mandatoryDomains = [frontendDomain];
+            if (apiDomain !== frontendDomain) {
+              mandatoryDomains.push(apiDomain);
+            }
+
             for (const domain of domains) {
               console.log(chalk.gray(`   Obtaining certificate for ${domain}...`));
-              await obtainSSLCertificate({
-                domain,
-                email: sslEmail,
-                staging: options.sslStaging || false
-              });
+              try {
+                await obtainSSLCertificate({
+                  domain,
+                  email: sslEmail,
+                  staging: options.sslStaging || false
+                });
+                successfulDomains.push(domain);
+              } catch (error) {
+                const isMandatory = mandatoryDomains.includes(domain);
+                if (isMandatory) {
+                  // Mandatory domain failed - add to failures but continue
+                  console.log(chalk.red(`✗ Failed (mandatory): ${domain}`));
+                  failedDomains.push({ domain, error: error.message, mandatory: true });
+                } else {
+                  // Optional domain failed - continue with others
+                  console.log(chalk.yellow(`⚠ Skipped (optional): ${domain} - ${error.message}`));
+                  failedDomains.push({ domain, error: error.message, mandatory: false });
+                }
+              }
             }
 
-            console.log(chalk.green('\n✓ SSL certificates obtained\n'));
+            // Show SSL certificate summary
+            console.log(chalk.cyan('\n📋 SSL Certificate Results:\n'));
+            successfulDomains.forEach(d => console.log(chalk.green(`   ✓ ${d} - Certificate obtained`)));
+            failedDomains.forEach(f => console.log(chalk.yellow(`   ⚠ ${f.domain} - ${f.error}`)));
 
-            // Step 2: Update NGINX for HTTPS
-            console.log(chalk.cyan('🔧 Configuring NGINX for HTTPS...\n'));
+            // Check if any mandatory domains failed
+            const mandatoryFailures = failedDomains.filter(f => f.mandatory);
+            if (mandatoryFailures.length > 0) {
+              console.log(chalk.red('\n✗ Mandatory domains failed to get SSL certificates.'));
+              console.log(chalk.yellow('   NGINX will be configured with HTTP for failed domains.\n'));
+            }
 
-            const sslNginxConfig = {
-              frontendDomain: frontendUrl,
-              apiDomain: apiUrl,
-              frontendPort: 8080,
-              apiPort: 3001
-            };
+            // Proceed only if at least some domains succeeded
+            if (successfulDomains.length > 0) {
+              console.log(chalk.green(`\n✓ ${successfulDomains.length} of ${domains.length} SSL certificates obtained\n`));
 
-            if (hasGateApp && gateAppUrl) {
-              sslNginxConfig.gateAppDomain = gateAppUrl;
-              sslNginxConfig.gateAppPort = 8081;
-            }
+              // Step 2: Update NGINX for HTTPS (with partial SSL support)
+              console.log(chalk.cyan('🔧 Configuring NGINX for HTTPS...\n'));
 
-            if (hasGuardianApp && guardianAppUrl) {
-              sslNginxConfig.guardianAppDomain = guardianAppUrl;
-              sslNginxConfig.guardianAppPort = 8082;
-            }
+              const sslNginxConfig = {
+                frontendDomain: frontendUrl,
+                apiDomain: apiUrl,
+                frontendPort: 8080,
+                apiPort: 3001,
+                domainsWithCerts: successfulDomains
+              };
 
-            if (hasFacialWeb && facialWebUrl) {
-              sslNginxConfig.facialAppDomain = facialWebUrl;
-              sslNginxConfig.facialWebPort = 8083;
-            }
+              if (hasGateApp && gateAppUrl) {
+                sslNginxConfig.gateAppDomain = gateAppUrl;
+                sslNginxConfig.gateAppPort = 8081;
+              }
 
-            if (hasPosApp && posAppUrl) {
-              sslNginxConfig.posAppDomain = posAppUrl;
-              sslNginxConfig.posAppPort = 8084;
-            }
+              if (hasGuardianApp && guardianAppUrl) {
+                sslNginxConfig.guardianAppDomain = guardianAppUrl;
+                sslNginxConfig.guardianAppPort = 8082;
+              }
 
-            if (hasMlmApp && mlmAppUrl) {
-              sslNginxConfig.mlmAppDomain = mlmAppUrl;
-              sslNginxConfig.mlmAppPort = 9005;
-            }
+              if (hasFacialWeb && facialWebUrl) {
+                sslNginxConfig.facialAppDomain = facialWebUrl;
+                sslNginxConfig.facialWebPort = 8083;
+              }
 
-            if (hasBackendMlm && backendMlmUrl) {
-              sslNginxConfig.backendMlmDomain = backendMlmUrl;
-              sslNginxConfig.backendMlmPort = 4001;
-            }
+              if (hasPosApp && posAppUrl) {
+                sslNginxConfig.posAppDomain = posAppUrl;
+                sslNginxConfig.posAppPort = 8084;
+              }
+
+              if (hasMlmApp && mlmAppUrl) {
+                sslNginxConfig.mlmAppDomain = mlmAppUrl;
+                sslNginxConfig.mlmAppPort = 9005;
+              }
+
+              if (hasBackendMlm && backendMlmUrl) {
+                sslNginxConfig.backendMlmDomain = backendMlmUrl;
+                sslNginxConfig.backendMlmPort = 4001;
+              }
 
-            await updateNginxForSSL(sslNginxConfig);
+              await updateNginxForSSL(sslNginxConfig);
 
-            // Step 3: Setup auto-renewal
-            console.log(chalk.cyan('🔄 Setting up automatic certificate renewal...\n'));
-            await setupAutoRenewal();
+              // Step 3: Setup auto-renewal
+              console.log(chalk.cyan('🔄 Setting up automatic certificate renewal...\n'));
+              await setupAutoRenewal();
 
-            console.log(chalk.green('✓ SSL/HTTPS configured successfully\n'));
+              if (failedDomains.length > 0) {
+                console.log(chalk.yellow('⚠ SSL/HTTPS partially configured\n'));
+                console.log(chalk.gray('   Failed domains will use HTTP only.'));
+                console.log(chalk.gray('   You can retry failed domains later with:'));
+                console.log(chalk.gray(`   ante ssl enable --email ${sslEmail}\n`));
+              } else {
+                console.log(chalk.green('✓ SSL/HTTPS configured successfully\n'));
+              }
+            } else {
+              console.log(chalk.yellow('\n⚠ No SSL certificates were obtained.'));
+              console.log(chalk.gray('   NGINX will use HTTP only.'));
+              console.log(chalk.gray('   You can enable SSL later with:'));
+              console.log(chalk.gray(`   ante ssl enable --email ${sslEmail}\n`));
+            }
 
           } catch (error) {
             console.log(chalk.red('\n✗ SSL setup failed:'), error.message);

package/src/commands/ssl-enable.js

@@ -195,18 +195,23 @@ export async function sslEnable(options) {
 
       console.log();
 
-      const { proceed } = await inquirer.prompt([
-        {
-          type: 'confirm',
-          name: 'proceed',
-          message: 'Do you want to renew or reconfigure SSL certificates?',
-          default: false
+      // In non-interactive mode, automatically proceed with renewal/reconfiguration
+      if (options.interactive !== false) {
+        const { proceed } = await inquirer.prompt([
+          {
+            type: 'confirm',
+            name: 'proceed',
+            message: 'Do you want to renew or reconfigure SSL certificates?',
+            default: false
+          }
+        ]);
+
+        if (!proceed) {
+          console.log(chalk.gray('\nSSL configuration cancelled.\n'));
+          return;
         }
-      ]);
-
-      if (!proceed) {
-        console.log(chalk.gray('\nSSL configuration cancelled.\n'));
-        return;
+      } else {
+        console.log(chalk.gray('Non-interactive mode: Proceeding with SSL reconfiguration...\n'));
       }
     }
 
@@ -368,9 +373,21 @@ export async function sslEnable(options) {
 
     console.log(chalk.bold('\n🚀 Starting SSL Configuration...\n'));
 
-    // Step 1: Obtain SSL certificates for all domains
+    // Step 1: Obtain SSL certificates for all domains (with graceful error handling)
     console.log(chalk.cyan('📋 Obtaining SSL certificates...\n'));
 
+    // Track successful and failed domains
+    const successfulDomains = [];
+    const failedDomains = [];
+
+    // Extract domain names for the frontend and API (mandatory)
+    const frontendDomainName = frontendUrl.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
+    const apiDomainName = apiUrl.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
+    const mandatoryDomains = [frontendDomainName];
+    if (apiDomainName !== frontendDomainName) {
+      mandatoryDomains.push(apiDomainName);
+    }
+
     for (const domainConfig of domains) {
       try {
         console.log(chalk.gray(`   Obtaining certificate for ${domainConfig.domain}...`));
@@ -379,18 +396,36 @@ export async function sslEnable(options) {
           email: options.email,
           staging: options.staging || false
         });
+        successfulDomains.push(domainConfig.domain);
       } catch (error) {
-        console.log(chalk.red(`\n✗ Failed to obtain SSL certificate for ${domainConfig.domain}:`), error.message);
-        console.log(chalk.yellow('\n⚠  Troubleshooting:'));
-        console.log(chalk.gray('   1. Verify DNS points to this server'));
-        console.log(chalk.gray('   2. Ensure ports 80 and 443 are open'));
-        console.log(chalk.gray('   3. Check NGINX is running: systemctl status nginx'));
-        console.log(chalk.gray('   4. View certbot logs: /var/log/letsencrypt/letsencrypt.log\n'));
-        process.exit(1);
+        const isMandatory = mandatoryDomains.includes(domainConfig.domain);
+        if (isMandatory) {
+          console.log(chalk.red(`✗ Failed (mandatory): ${domainConfig.domain}`));
+          failedDomains.push({ domain: domainConfig.domain, error: error.message, mandatory: true });
+        } else {
+          console.log(chalk.yellow(`⚠ Skipped (optional): ${domainConfig.domain} - ${error.message}`));
+          failedDomains.push({ domain: domainConfig.domain, error: error.message, mandatory: false });
+        }
       }
     }
 
-    console.log(chalk.green('\n✓ All SSL certificates obtained\n'));
+    // Show SSL certificate summary
+    console.log(chalk.cyan('\n📋 SSL Certificate Results:\n'));
+    successfulDomains.forEach(d => console.log(chalk.green(`   ✓ ${d} - Certificate obtained`)));
+    failedDomains.forEach(f => console.log(chalk.yellow(`   ⚠ ${f.domain} - ${f.error}`)));
+
+    // Check if we can proceed
+    if (successfulDomains.length === 0) {
+      console.log(chalk.red('\n✗ No SSL certificates were obtained.'));
+      console.log(chalk.yellow('\n⚠  Troubleshooting:'));
+      console.log(chalk.gray('   1. Verify DNS points to this server'));
+      console.log(chalk.gray('   2. Ensure ports 80 and 443 are open'));
+      console.log(chalk.gray('   3. Check NGINX is running: systemctl status nginx'));
+      console.log(chalk.gray('   4. View certbot logs: /var/log/letsencrypt/letsencrypt.log\n'));
+      process.exit(1);
+    }
+
+    console.log(chalk.green(`\n✓ ${successfulDomains.length} of ${domains.length} SSL certificates obtained\n`));
 
     // Step 2: Update NGINX configuration with SSL
     console.log(chalk.cyan('🔧 Configuring NGINX for HTTPS...\n'));
@@ -404,7 +439,8 @@ export async function sslEnable(options) {
         frontendDomain: frontendUrl,
         apiDomain: apiUrl,
         frontendPort,
-        apiPort
+        apiPort,
+        domainsWithCerts: successfulDomains
       };
 
       if (gateAppUrl) {
@@ -452,15 +488,32 @@ export async function sslEnable(options) {
     await setupAutoRenewal();
 
     // Success summary
-    console.log(chalk.bold.green('\n✓ SSL/HTTPS Configuration Complete!\n'));
+    if (failedDomains.length > 0) {
+      console.log(chalk.bold.yellow('\n⚠ SSL/HTTPS Configuration Partially Complete!\n'));
+      console.log(chalk.yellow('Some domains failed to get SSL certificates:'));
+      failedDomains.forEach(f => {
+        console.log(chalk.gray(`   • ${f.domain}: ${f.error}`));
+      });
+      console.log(chalk.gray('\nFailed domains will use HTTP only until DNS is configured.'));
+      console.log(chalk.gray('You can retry later with: ante ssl enable --email ' + options.email + '\n'));
+    } else {
+      console.log(chalk.bold.green('\n✓ SSL/HTTPS Configuration Complete!\n'));
+    }
 
     console.log(chalk.cyan('Secured Domains:'));
-    domains.forEach(d => {
+    domains.filter(d => successfulDomains.includes(d.domain)).forEach(d => {
       const httpsUrl = d.url.replace('http://', 'https://').replace(/:\d+$/, '');
       console.log(chalk.white(`   • ${d.domain}`));
       console.log(chalk.gray(`     ${httpsUrl}\n`));
     });
 
+    if (failedDomains.length > 0) {
+      console.log(chalk.yellow('Unsecured Domains (HTTP only):'));
+      failedDomains.forEach(f => {
+        console.log(chalk.gray(`   • ${f.domain} - DNS not configured\n`));
+      });
+    }
+
     console.log(chalk.cyan('Certificate Details:'));
     console.log(chalk.gray('   Provider: Let\'s Encrypt'));
     console.log(chalk.gray('   Validity: 90 days'));

package/src/utils/nginx.js

@@ -85,7 +85,8 @@ export function generateNginxConfig(config) {
     mlmAppPort = 9005,
     backendMlmPort = 4001,
     ssl = false,
-    cloudflareSsl = false
+    cloudflareSsl = false,
+    domainsWithCerts = []
   } = config;
 
   // Extract domain without protocol
@@ -138,7 +139,8 @@ export function generateNginxConfig(config) {
       facialWebPort,
       posAppPort,
       mlmAppPort,
-      backendMlmPort
+      backendMlmPort,
+      domainsWithCerts
     });
   }
 
@@ -782,6 +784,7 @@ export async function generateCloudflareCert() {
  * @param {number} [config.posAppPort] - POS app port (default: 8084)
  * @param {number} [config.mlmAppPort] - MLM app port (default: 9005)
  * @param {number} [config.backendMlmPort] - Backend MLM API port (default: 4001)
+ * @param {string[]} [config.domainsWithCerts] - List of domains that have valid SSL certificates
  * @returns {string} NGINX configuration with SSL
  */
 function generateSslNginxConfig(config) {
@@ -801,19 +804,26 @@ function generateSslNginxConfig(config) {
     facialWebPort = 8083,
     posAppPort = 8084,
     mlmAppPort = 9005,
-    backendMlmPort = 4001
+    backendMlmPort = 4001,
+    domainsWithCerts = []
   } = config;
 
-  return `# ANTE Frontend Configuration (HTTPS)
+  // Helper function to check if a domain has a valid SSL certificate
+  // If domainsWithCerts is empty, assume all domains have certs (backward compatibility)
+  const hasCert = (host) => domainsWithCerts.length === 0 || domainsWithCerts.includes(host);
+
+  // Helper function to generate SSL server block
+  const generateSslServerBlock = (host, port, appName, extraConfig = '') => `
+# ${appName} Configuration (HTTPS)
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
     http2 on;
-    server_name ${frontendHost};
+    server_name ${host};
 
     # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/${frontendHost}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${frontendHost}/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/${host}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${host}/privkey.pem;
 
     # SSL Configuration
     ssl_protocols TLSv1.2 TLSv1.3;
@@ -834,9 +844,9 @@ server {
 
     # Increase body size for file uploads
     client_max_body_size 100M;
-
+${extraConfig}
     location / {
-        proxy_pass http://localhost:${frontendPort};
+        proxy_pass http://localhost:${port};
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
@@ -853,37 +863,21 @@ server {
     }
 }
 
-# HTTP to HTTPS redirect for ${frontendHost}
+# HTTP to HTTPS redirect for ${host}
 server {
     listen 80;
     listen [::]:80;
-    server_name ${frontendHost};
+    server_name ${host};
     return 301 https://$server_name$request_uri;
-}
+}`;
 
-# ANTE API Configuration (HTTPS)
+  // Helper function to generate HTTP-only server block (for domains without SSL cert)
+  const generateHttpServerBlock = (host, port, appName, extraConfig = '') => `
+# ${appName} Configuration (HTTP only - SSL cert not available)
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    http2 on;
-    server_name ${apiHost};
-
-    # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/${apiHost}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${apiHost}/privkey.pem;
-
-    # SSL Configuration
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options SAMEORIGIN always;
-    add_header X-Content-Type-Options nosniff always;
-    add_header X-XSS-Protection "1; mode=block" always;
+    listen 80;
+    listen [::]:80;
+    server_name ${host};
 
     # Increase buffer sizes for large headers
     client_header_buffer_size 16k;
@@ -891,9 +885,9 @@ server {
 
     # Increase body size for file uploads
     client_max_body_size 100M;
-
+${extraConfig}
     location / {
-        proxy_pass http://localhost:${apiPort};
+        proxy_pass http://localhost:${port};
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
@@ -907,31 +901,40 @@ server {
         proxy_connect_timeout 60s;
         proxy_send_timeout 60s;
         proxy_read_timeout 60s;
+    }
+}`;
 
-        # WebSocket support
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
+  // Helper function to generate appropriate block based on cert availability
+  const generateServerBlock = (host, port, appName, extraConfig = '') => {
+    if (hasCert(host)) {
+      return generateSslServerBlock(host, port, appName, extraConfig);
     }
-}
+    return generateHttpServerBlock(host, port, appName, extraConfig);
+  };
 
-# HTTP to HTTPS redirect for ${apiHost}
-server {
-    listen 80;
-    listen [::]:80;
-    server_name ${apiHost};
-    return 301 https://$server_name$request_uri;
-}
-${gateAppHost ? `
-# ANTE Gate App Configuration (HTTPS)
+  // Generate config blocks
+  let config_output = '';
+
+  // Frontend (required)
+  config_output += generateServerBlock(frontendHost, frontendPort, 'ANTE Frontend');
+
+  // API (required) - with WebSocket support
+  const apiExtraConfig = `
+        # WebSocket support
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;`;
+  if (hasCert(apiHost)) {
+    config_output += `
+# ANTE API Configuration (HTTPS)
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
     http2 on;
-    server_name ${gateAppHost};
+    server_name ${apiHost};
 
     # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/${gateAppHost}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${gateAppHost}/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/${apiHost}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${apiHost}/privkey.pem;
 
     # SSL Configuration
     ssl_protocols TLSv1.2 TLSv1.3;
@@ -954,7 +957,7 @@ server {
     client_max_body_size 100M;
 
     location / {
-        proxy_pass http://localhost:${gateAppPort};
+        proxy_pass http://localhost:${apiPort};
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
@@ -968,40 +971,27 @@ server {
         proxy_connect_timeout 60s;
         proxy_send_timeout 60s;
         proxy_read_timeout 60s;
+
+        # WebSocket support
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
     }
 }
 
-# HTTP to HTTPS redirect for ${gateAppHost}
+# HTTP to HTTPS redirect for ${apiHost}
 server {
     listen 80;
     listen [::]:80;
-    server_name ${gateAppHost};
+    server_name ${apiHost};
     return 301 https://$server_name$request_uri;
-}
-` : ''}${guardianAppHost ? `
-# ANTE Guardian App Configuration (HTTPS)
+}`;
+  } else {
+    config_output += `
+# ANTE API Configuration (HTTP only - SSL cert not available)
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    http2 on;
-    server_name ${guardianAppHost};
-
-    # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/${guardianAppHost}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${guardianAppHost}/privkey.pem;
-
-    # SSL Configuration
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options SAMEORIGIN always;
-    add_header X-Content-Type-Options nosniff always;
-    add_header X-XSS-Protection "1; mode=block" always;
+    listen 80;
+    listen [::]:80;
+    server_name ${apiHost};
 
     # Increase buffer sizes for large headers
     client_header_buffer_size 16k;
@@ -1011,7 +1001,7 @@ server {
     client_max_body_size 100M;
 
     location / {
-        proxy_pass http://localhost:${guardianAppPort};
+        proxy_pass http://localhost:${apiPort};
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
@@ -1025,17 +1015,38 @@ server {
         proxy_connect_timeout 60s;
         proxy_send_timeout 60s;
         proxy_read_timeout 60s;
+
+        # WebSocket support
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
     }
-}
+}`;
+  }
 
-# HTTP to HTTPS redirect for ${guardianAppHost}
-server {
-    listen 80;
-    listen [::]:80;
-    server_name ${guardianAppHost};
-    return 301 https://$server_name$request_uri;
-}
-` : ''}${facialAppHost ? `
+  // Optional apps
+  if (gateAppHost) {
+    config_output += generateServerBlock(gateAppHost, gateAppPort, 'ANTE Gate App');
+  }
+
+  if (guardianAppHost) {
+    config_output += generateServerBlock(guardianAppHost, guardianAppPort, 'ANTE Guardian App');
+  }
+
+  if (facialAppHost) {
+    // Facial app has special config.js caching rules
+    const facialExtraConfig = `
+    # Disable caching for config.js to ensure runtime config is always fresh
+    location = /config.js {
+        proxy_pass http://localhost:${facialWebPort}/config.js;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
+        add_header Pragma "no-cache" always;
+        add_header Expires "0" always;
+    }
+`;
+    if (hasCert(facialAppHost)) {
+      config_output += `
 # ANTE Facial Web App Configuration (HTTPS)
 server {
     listen 443 ssl;
@@ -1101,98 +1112,34 @@ server {
     listen [::]:80;
     server_name ${facialAppHost};
     return 301 https://$server_name$request_uri;
-}
-` : ''}${posAppHost ? `
-# ANTE POS App Configuration (HTTPS)
+}`;
+    } else {
+      config_output += `
+# ANTE Facial Web App Configuration (HTTP only - SSL cert not available)
 server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    http2 on;
-    server_name ${posAppHost};
-
-    # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/${posAppHost}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${posAppHost}/privkey.pem;
-
-    # SSL Configuration
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options SAMEORIGIN always;
-    add_header X-Content-Type-Options nosniff always;
-    add_header X-XSS-Protection "1; mode=block" always;
+    listen 80;
+    listen [::]:80;
+    server_name ${facialAppHost};
 
     # Increase buffer sizes for large headers
     client_header_buffer_size 16k;
     large_client_header_buffers 4 16k;
 
-    # Increase body size for file uploads
-    client_max_body_size 100M;
+    # Increase body size for image uploads
+    client_max_body_size 50M;
 
-    location / {
-        proxy_pass http://localhost:${posAppPort};
+    # Disable caching for config.js to ensure runtime config is always fresh
+    location = /config.js {
+        proxy_pass http://localhost:${facialWebPort}/config.js;
         proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_cache_bypass $http_upgrade;
-
-        # Timeout settings
-        proxy_connect_timeout 60s;
-        proxy_send_timeout 60s;
-        proxy_read_timeout 60s;
+        add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
+        add_header Pragma "no-cache" always;
+        add_header Expires "0" always;
     }
-}
-
-# HTTP to HTTPS redirect for ${posAppHost}
-server {
-    listen 80;
-    listen [::]:80;
-    server_name ${posAppHost};
-    return 301 https://$server_name$request_uri;
-}
-` : ''}${mlmAppHost ? `
-# ANTE MLM App Configuration (HTTPS)
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    http2 on;
-    server_name ${mlmAppHost};
-
-    # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/${mlmAppHost}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${mlmAppHost}/privkey.pem;
-
-    # SSL Configuration
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options SAMEORIGIN always;
-    add_header X-Content-Type-Options nosniff always;
-    add_header X-XSS-Protection "1; mode=block" always;
-
-    # Increase buffer sizes for large headers
-    client_header_buffer_size 16k;
-    large_client_header_buffers 4 16k;
-
-    # Increase body size for file uploads
-    client_max_body_size 100M;
 
     location / {
-        proxy_pass http://localhost:${mlmAppPort};
+        proxy_pass http://localhost:${facialWebPort};
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection 'upgrade';
@@ -1207,74 +1154,40 @@ server {
         proxy_send_timeout 60s;
         proxy_read_timeout 60s;
     }
-}
-
-# HTTP to HTTPS redirect for ${mlmAppHost}
-server {
-    listen 80;
-    listen [::]:80;
-    server_name ${mlmAppHost};
-    return 301 https://$server_name$request_uri;
-}
-` : ''}${backendMlmHost ? `
-# ANTE Backend MLM API Configuration (HTTPS)
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    http2 on;
-    server_name ${backendMlmHost};
+}`;
+    }
+  }
 
-    # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/${backendMlmHost}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${backendMlmHost}/privkey.pem;
+  if (posAppHost) {
+    config_output += generateServerBlock(posAppHost, posAppPort, 'ANTE POS App');
+  }
 
-    # SSL Configuration
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
+  if (mlmAppHost) {
+    config_output += generateServerBlock(mlmAppHost, mlmAppPort, 'ANTE MLM App');
+  }
 
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options SAMEORIGIN always;
-    add_header X-Content-Type-Options nosniff always;
-    add_header X-XSS-Protection "1; mode=block" always;
+  if (backendMlmHost) {
+    config_output += generateServerBlock(backendMlmHost, backendMlmPort, 'ANTE Backend MLM API');
+  }
 
-    # Increase buffer sizes for large headers
-    client_header_buffer_size 16k;
-    large_client_header_buffers 4 16k;
+  return config_output.trim();
+}
 
-    # Increase body size for file uploads
-    client_max_body_size 100M;
+/**
+ * Configure NGINX for ANTE domains - KEPT FOR REFERENCE BUT NOT USED
+ * The generateSslNginxConfig function now handles both SSL and non-SSL domains
+ * based on the domainsWithCerts parameter.
+ */
 
-    location / {
-        proxy_pass http://localhost:${backendMlmPort};
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_cache_bypass $http_upgrade;
+// NOTE: Old generateSslNginxConfigLegacy function removed - functionality merged into generateSslNginxConfig
 
-        # Timeout settings
-        proxy_connect_timeout 60s;
-        proxy_send_timeout 60s;
-        proxy_read_timeout 60s;
-    }
-}
+/**
+ * Generate NGINX configuration for Cloudflare SSL - PLACEHOLDER FOR OLD FUNCTION LOCATION
+ * This marks the end of the SSL config generation section
+ */
 
-# HTTP to HTTPS redirect for ${backendMlmHost}
-server {
-    listen 80;
-    listen [::]:80;
-    server_name ${backendMlmHost};
-    return 301 https://$server_name$request_uri;
-}
-` : ''}`;
-}
+// Previous generateSslNginxConfigLegacy function has been removed.
+// The new generateSslNginxConfig function handles partial SSL scenarios.
 
 /**
  * Configure NGINX for ANTE domains

package/src/utils/ssl.js

@@ -60,10 +60,11 @@ export async function checkDomainDNS(domain) {
  * @param {string} config.domain - Domain name (e.g., ante.example.com)
  * @param {string} config.email - Email for certificate notifications
  * @param {boolean} [config.staging=false] - Use staging environment for testing
- * @returns {Promise<void>}
+ * @param {boolean} [config.graceful=false] - If true, returns result object instead of throwing
+ * @returns {Promise<boolean|Object>} Returns true on success, or result object if graceful mode
  */
 export async function obtainSSLCertificate(config) {
-  const { domain, email, staging = false } = config;
+  const { domain, email, staging = false, graceful = false } = config;
   const spinner = ora(`Obtaining SSL certificate for ${domain}...`).start();
 
   try {
@@ -109,12 +110,22 @@ export async function obtainSSLCertificate(config) {
       spinner.succeed(`SSL certificate obtained for ${domain}`);
     } catch (error) {
       spinner.fail(`Failed to obtain SSL certificate for ${domain}`);
-      throw new Error(`Certbot failed: ${error.message}`);
+      const errorMessage = `Certbot failed: ${error.message}`;
+      if (graceful) {
+        return { success: false, domain, error: errorMessage };
+      }
+      throw new Error(errorMessage);
     }
 
+    if (graceful) {
+      return { success: true, domain };
+    }
     return true;
   } catch (error) {
     spinner.fail('Failed to obtain SSL certificate');
+    if (graceful) {
+      return { success: false, domain, error: error.message };
+    }
     throw error;
   }
 }
@@ -138,6 +149,7 @@ export async function obtainSSLCertificate(config) {
  * @param {number} [config.posAppPort=8084] - POS App port
  * @param {number} [config.mlmAppPort=9005] - MLM App port
  * @param {number} [config.backendMlmPort=4001] - Backend MLM API port
+ * @param {string[]} [config.domainsWithCerts=[]] - List of domains that have valid SSL certificates
  * @returns {Promise<void>}
  */
 export async function updateNginxForSSL(config) {
@@ -157,7 +169,8 @@ export async function updateNginxForSSL(config) {
     facialWebPort = 8083,
     posAppPort = 8084,
     mlmAppPort = 9005,
-    backendMlmPort = 4001
+    backendMlmPort = 4001,
+    domainsWithCerts = []
   } = config;
   const spinner = ora('Updating NGINX configuration for HTTPS...').start();
 
@@ -194,7 +207,8 @@ export async function updateNginxForSSL(config) {
       posAppPort,
       mlmAppPort,
       backendMlmPort,
-      ssl: true
+      ssl: true,
+      domainsWithCerts
     });
 
     // Write new configuration