ante-erp-cli 1.7.0 → 1.7.2

package/bin/ante-cli.js

@@ -33,6 +33,7 @@ import { uninstall } from '../src/commands/uninstall.js';
 import { migrate, seed, shell, optimize, reset as dbReset, info } from '../src/commands/database.js';
 import { cloneDb } from '../src/commands/clone-db.js';
 import { setDomain } from '../src/commands/set-domain.js';
+import { sslEnable, sslStatus } from '../src/commands/ssl-enable.js';
 
 // Installation & Setup
 program
@@ -214,6 +215,24 @@ program
   .option('--no-interactive', 'Non-interactive mode')
   .action(setDomain);
 
+// SSL/HTTPS Management
+const sslCmd = program
+  .command('ssl')
+  .description('SSL/HTTPS certificate management');
+
+sslCmd
+  .command('enable')
+  .description('Enable SSL/HTTPS with automatic certificate from Let\'s Encrypt')
+  .option('--email <email>', 'Email for certificate notifications')
+  .option('--staging', 'Use Let\'s Encrypt staging environment (for testing)')
+  .option('--no-interactive', 'Non-interactive mode')
+  .action(sslEnable);
+
+sslCmd
+  .command('status')
+  .description('Check SSL certificate status and expiry')
+  .action(sslStatus);
+
 // Help
 program
   .command('help [command]')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ante-erp-cli",
-  "version": "1.7.0",
+  "version": "1.7.2",
   "description": "Comprehensive CLI tool for managing ANTE ERP self-hosted installations",
   "type": "module",
   "bin": {

package/src/commands/ssl-enable.js

@@ -0,0 +1,349 @@
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import ora from 'ora';
+import { readFileSync } from 'fs';
+import { join } from 'path';
+import { getInstallDir } from '../utils/config.js';
+import { isNginxInstalled } from '../utils/nginx.js';
+import {
+  obtainSSLCertificate,
+  updateNginxForSSL,
+  setupAutoRenewal,
+  checkSSLStatus,
+  extractDomain
+} from '../utils/ssl.js';
+
+/**
+ * Validate email format
+ * @param {string} email - Email to validate
+ * @returns {boolean|string} True if valid, error message if invalid
+ */
+function validateEmail(email) {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  if (!email || email.trim() === '') {
+    return 'Email is required';
+  }
+  if (!emailRegex.test(email)) {
+    return 'Please enter a valid email address';
+  }
+  return true;
+}
+
+/**
+ * Read environment variable from .env file
+ * @param {string} envPath - Path to .env file
+ * @param {string} key - Environment variable key
+ * @returns {string} Value or empty string
+ */
+function getEnvValue(envPath, key) {
+  try {
+    const envContent = readFileSync(envPath, 'utf8');
+    const match = envContent.match(new RegExp(`^${key}=(.*)$`, 'm'));
+    return match ? match[1] : '';
+  } catch {
+    return '';
+  }
+}
+
+/**
+ * Enable SSL/HTTPS for ANTE installation
+ */
+export async function sslEnable(options) {
+  try {
+    console.log(chalk.bold('\n🔒 Enable SSL/HTTPS for ANTE\n'));
+
+    // Check if NGINX is installed
+    const nginxInstalled = await isNginxInstalled();
+    if (!nginxInstalled) {
+      console.log(chalk.red('✗ NGINX is not installed'));
+      console.log(chalk.yellow('\n⚠  SSL requires NGINX to be configured first.'));
+      console.log(chalk.gray('   Run "ante set-domain" to configure domains and NGINX.\n'));
+      process.exit(1);
+    }
+
+    // Get installation directory
+    const installDir = getInstallDir();
+    const envPath = join(installDir, '.env');
+
+    console.log(chalk.gray(`Installation: ${installDir}\n`));
+
+    // Read current configuration
+    const frontendUrl = getEnvValue(envPath, 'FRONTEND_URL');
+    const apiUrl = getEnvValue(envPath, 'API_URL');
+
+    if (!frontendUrl || !apiUrl) {
+      console.log(chalk.red('✗ Domain configuration not found'));
+      console.log(chalk.yellow('\n⚠  Please configure domains first using:'));
+      console.log(chalk.gray('   ante set-domain\n'));
+      process.exit(1);
+    }
+
+    // Extract domains from URLs
+    const frontendDomain = extractDomain(frontendUrl);
+    const apiDomain = extractDomain(apiUrl);
+
+    // Check if domains are already using HTTPS
+    if (frontendUrl.startsWith('https://') && apiUrl.startsWith('https://')) {
+      console.log(chalk.yellow('⚠  Domains are already configured with HTTPS:\n'));
+      console.log(chalk.gray(`   Frontend: ${frontendUrl}`));
+      console.log(chalk.gray(`   API: ${apiUrl}\n`));
+
+      // Check certificate status
+      const frontendStatus = await checkSSLStatus(frontendDomain);
+      const apiStatus = await checkSSLStatus(apiDomain);
+
+      if (frontendStatus.installed) {
+        console.log(chalk.green(`✓ Frontend SSL: Valid (expires in ${frontendStatus.daysUntilExpiry} days)`));
+      }
+      if (apiStatus.installed) {
+        console.log(chalk.green(`✓ API SSL: Valid (expires in ${apiStatus.daysUntilExpiry} days)`));
+      }
+
+      console.log();
+
+      const { proceed } = await inquirer.prompt([
+        {
+          type: 'confirm',
+          name: 'proceed',
+          message: 'Do you want to renew or reconfigure SSL certificates?',
+          default: false
+        }
+      ]);
+
+      if (!proceed) {
+        console.log(chalk.gray('\nSSL configuration cancelled.\n'));
+        return;
+      }
+    }
+
+    // Show current configuration
+    console.log(chalk.cyan('Current Configuration:'));
+    console.log(chalk.gray(`   Frontend: ${frontendUrl}`));
+    console.log(chalk.gray(`   API: ${apiUrl}\n`));
+
+    // Detect domains to configure
+    const domains = [];
+
+    if (frontendDomain !== 'localhost' && !frontendDomain.match(/^\d+\.\d+\.\d+\.\d+$/)) {
+      domains.push({
+        name: 'Frontend',
+        domain: frontendDomain,
+        port: frontendUrl.match(/:(\d+)/) ? frontendUrl.match(/:(\d+)/)[1] : 8080,
+        url: frontendUrl
+      });
+    }
+
+    if (apiDomain !== 'localhost' && !apiDomain.match(/^\d+\.\d+\.\d+\.\d+$/) && apiDomain !== frontendDomain) {
+      domains.push({
+        name: 'API',
+        domain: apiDomain,
+        port: apiUrl.match(/:(\d+)/) ? apiUrl.match(/:(\d+)/)[1] : 3001,
+        url: apiUrl
+      });
+    }
+
+    if (domains.length === 0) {
+      console.log(chalk.red('✗ No valid domains found for SSL configuration'));
+      console.log(chalk.yellow('\n⚠  SSL certificates require domain names (not localhost or IP addresses).'));
+      console.log(chalk.gray('   Configure a domain using "ante set-domain" first.\n'));
+      process.exit(1);
+    }
+
+    // Interactive mode: ask for email and confirmation
+    if (options.interactive !== false) {
+      console.log(chalk.yellow('SSL certificates will be obtained for:\n'));
+      domains.forEach(d => {
+        console.log(chalk.white(`   • ${d.domain} (${d.name})`));
+      });
+      console.log();
+
+      const answers = await inquirer.prompt([
+        {
+          type: 'input',
+          name: 'email',
+          message: 'Email address for certificate notifications:',
+          validate: validateEmail,
+          default: options.email || ''
+        },
+        {
+          type: 'confirm',
+          name: 'confirm',
+          message: 'Proceed with SSL certificate installation?',
+          default: true
+        }
+      ]);
+
+      if (!answers.confirm) {
+        console.log(chalk.gray('\nSSL configuration cancelled.\n'));
+        return;
+      }
+
+      options.email = answers.email;
+    } else {
+      // Non-interactive mode: require email
+      if (!options.email) {
+        console.log(chalk.red('✗ Email is required in non-interactive mode'));
+        console.log(chalk.gray('   Use: ante ssl enable --email your@email.com\n'));
+        process.exit(1);
+      }
+
+      const emailValidation = validateEmail(options.email);
+      if (emailValidation !== true) {
+        console.log(chalk.red(`✗ ${emailValidation}\n`));
+        process.exit(1);
+      }
+    }
+
+    console.log(chalk.bold('\n🚀 Starting SSL Configuration...\n'));
+
+    // Step 1: Obtain SSL certificates for all domains
+    console.log(chalk.cyan('📋 Obtaining SSL certificates...\n'));
+
+    for (const domainConfig of domains) {
+      try {
+        console.log(chalk.gray(`   Obtaining certificate for ${domainConfig.domain}...`));
+        await obtainSSLCertificate({
+          domain: domainConfig.domain,
+          email: options.email,
+          staging: options.staging || false
+        });
+      } catch (error) {
+        console.log(chalk.red(`\n✗ Failed to obtain SSL certificate for ${domainConfig.domain}:`), error.message);
+        console.log(chalk.yellow('\n⚠  Troubleshooting:'));
+        console.log(chalk.gray('   1. Verify DNS points to this server'));
+        console.log(chalk.gray('   2. Ensure ports 80 and 443 are open'));
+        console.log(chalk.gray('   3. Check NGINX is running: systemctl status nginx'));
+        console.log(chalk.gray('   4. View certbot logs: /var/log/letsencrypt/letsencrypt.log\n'));
+        process.exit(1);
+      }
+    }
+
+    console.log(chalk.green('\n✓ All SSL certificates obtained\n'));
+
+    // Step 2: Update NGINX configuration with SSL
+    console.log(chalk.cyan('🔧 Configuring NGINX for HTTPS...\n'));
+
+    try {
+      // Extract frontend and API ports
+      const frontendPort = frontendUrl.match(/:(\d+)/) ? parseInt(frontendUrl.match(/:(\d+)/)[1]) : 8080;
+      const apiPort = apiUrl.match(/:(\d+)/) ? parseInt(apiUrl.match(/:(\d+)/)[1]) : 3001;
+
+      await updateNginxForSSL({
+        frontendDomain: frontendUrl,
+        apiDomain: apiUrl,
+        frontendPort,
+        apiPort
+      });
+    } catch (error) {
+      console.log(chalk.red('\n✗ Failed to configure NGINX:'), error.message);
+      console.log(chalk.yellow('\n⚠  Troubleshooting:'));
+      console.log(chalk.gray('   1. Check NGINX configuration: nginx -t'));
+      console.log(chalk.gray('   2. View NGINX logs: journalctl -u nginx'));
+      console.log(chalk.gray('   3. Restore backup: cp /etc/nginx/sites-enabled/ante.backup /etc/nginx/sites-enabled/ante\n'));
+      process.exit(1);
+    }
+
+    // Setup automatic renewal
+    console.log(chalk.cyan('\n🔄 Setting up automatic certificate renewal...\n'));
+    await setupAutoRenewal();
+
+    // Success summary
+    console.log(chalk.bold.green('\n✓ SSL/HTTPS Configuration Complete!\n'));
+
+    console.log(chalk.cyan('Secured Domains:'));
+    domains.forEach(d => {
+      const httpsUrl = d.url.replace('http://', 'https://').replace(/:\d+$/, '');
+      console.log(chalk.white(`   • ${d.domain}`));
+      console.log(chalk.gray(`     ${httpsUrl}\n`));
+    });
+
+    console.log(chalk.cyan('Certificate Details:'));
+    console.log(chalk.gray('   Provider: Let\'s Encrypt'));
+    console.log(chalk.gray('   Validity: 90 days'));
+    console.log(chalk.gray('   Auto-renewal: Enabled (daily check at 3:00 AM)'));
+
+    console.log(chalk.yellow('\n⚠  Important:'));
+    console.log(chalk.gray('   • Update your .env file to use HTTPS URLs'));
+    console.log(chalk.gray('   • Restart services: ante restart'));
+    console.log(chalk.gray('   • Update DNS if not already configured'));
+
+    console.log(chalk.cyan('\n💡 Next Steps:'));
+    console.log(chalk.white('   1. Update environment variables:'));
+    console.log(chalk.gray('      ante set-domain --frontend https://your-domain --api https://api-domain'));
+    console.log(chalk.white('   2. Restart services:'));
+    console.log(chalk.gray('      ante restart'));
+    console.log(chalk.white('   3. Test HTTPS access:'));
+    domains.forEach(d => {
+      const httpsUrl = d.url.replace('http://', 'https://').replace(/:\d+$/, '');
+      console.log(chalk.gray(`      ${httpsUrl}`));
+    });
+    console.log();
+
+  } catch (error) {
+    console.error(chalk.red('\n✗ SSL configuration failed:'), error.message);
+    console.log(chalk.yellow('\n⚠  Common Issues:'));
+    console.log(chalk.gray('   • Domain does not resolve to this server'));
+    console.log(chalk.gray('   • Ports 80/443 are not accessible'));
+    console.log(chalk.gray('   • NGINX is not properly configured'));
+    console.log(chalk.gray('   • Firewall is blocking traffic\n'));
+    process.exit(1);
+  }
+}
+
+/**
+ * Check SSL certificate status
+ */
+export async function sslStatus() {
+  try {
+    console.log(chalk.bold('\n🔒 SSL Certificate Status\n'));
+
+    const installDir = getInstallDir();
+    const envPath = join(installDir, '.env');
+
+    const frontendUrl = getEnvValue(envPath, 'FRONTEND_URL');
+    const apiUrl = getEnvValue(envPath, 'API_URL');
+
+    if (!frontendUrl || !apiUrl) {
+      console.log(chalk.red('✗ Domain configuration not found\n'));
+      process.exit(1);
+    }
+
+    const frontendDomain = extractDomain(frontendUrl);
+    const apiDomain = extractDomain(apiUrl);
+
+    const domains = [
+      { name: 'Frontend', domain: frontendDomain, url: frontendUrl },
+      { name: 'API', domain: apiDomain, url: apiUrl }
+    ];
+
+    for (const { name, domain, url } of domains) {
+      console.log(chalk.cyan(`${name}:`));
+      console.log(chalk.gray(`   Domain: ${domain}`));
+      console.log(chalk.gray(`   URL: ${url}`));
+
+      const spinner = ora('Checking certificate...').start();
+      const status = await checkSSLStatus(domain);
+
+      if (status.installed) {
+        spinner.succeed('Certificate found');
+        console.log(chalk.gray(`   Expiry: ${new Date(status.expiryDate).toLocaleDateString()}`));
+        console.log(chalk.gray(`   Days remaining: ${status.daysUntilExpiry}`));
+
+        if (status.daysUntilExpiry < 30) {
+          console.log(chalk.yellow(`   Status: Expiring soon (renew recommended)`));
+        } else {
+          console.log(chalk.green(`   Status: Valid`));
+        }
+      } else {
+        spinner.fail('No certificate found');
+        console.log(chalk.gray(`   Run "ante ssl enable" to obtain a certificate`));
+      }
+
+      console.log();
+    }
+
+  } catch (error) {
+    console.error(chalk.red('\n✗ Failed to check SSL status:'), error.message);
+    process.exit(1);
+  }
+}

package/src/utils/nginx.js

@@ -50,15 +50,20 @@ export async function installNginx(spinner) {
  * @param {string} config.apiDomain - API domain (e.g., api.ante.example.com)
  * @param {number} config.frontendPort - Frontend Docker port (default: 8080)
  * @param {number} config.apiPort - API Docker port (default: 3001)
+ * @param {boolean} config.ssl - Enable SSL configuration (default: false)
  * @returns {string} NGINX configuration content
  */
 export function generateNginxConfig(config) {
-  const { frontendDomain, apiDomain, frontendPort = 8080, apiPort = 3001 } = config;
+  const { frontendDomain, apiDomain, frontendPort = 8080, apiPort = 3001, ssl = false } = config;
 
   // Extract domain without protocol
   const frontendHost = frontendDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
   const apiHost = apiDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
 
+  if (ssl) {
+    return generateSslNginxConfig({ frontendHost, apiHost, frontendPort, apiPort });
+  }
+
   return `# ANTE Frontend Configuration
 server {
     listen 80;
@@ -127,6 +132,138 @@ server {
 `;
 }
 
+/**
+ * Generate NGINX configuration with SSL support
+ * @param {Object} config - Configuration object
+ * @param {string} config.frontendHost - Frontend hostname
+ * @param {string} config.apiHost - API hostname
+ * @param {number} config.frontendPort - Frontend port
+ * @param {number} config.apiPort - API port
+ * @returns {string} NGINX configuration with SSL
+ */
+function generateSslNginxConfig(config) {
+  const { frontendHost, apiHost, frontendPort, apiPort } = config;
+
+  return `# ANTE Frontend Configuration (HTTPS)
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name ${frontendHost};
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/${frontendHost}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${frontendHost}/privkey.pem;
+
+    # SSL Configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${frontendPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+
+# HTTP to HTTPS redirect for ${frontendHost}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${frontendHost};
+    return 301 https://$server_name$request_uri;
+}
+
+# ANTE API Configuration (HTTPS)
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name ${apiHost};
+
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/${apiHost}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${apiHost}/privkey.pem;
+
+    # SSL Configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${apiPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # WebSocket support
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+    }
+}
+
+# HTTP to HTTPS redirect for ${apiHost}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${apiHost};
+    return 301 https://$server_name$request_uri;
+}
+`;
+}
+
 /**
  * Configure NGINX for ANTE domains
  * @param {Object} config - Configuration object

package/src/utils/ssl.js

@@ -0,0 +1,329 @@
+import chalk from 'chalk';
+import ora from 'ora';
+import { execa } from 'execa';
+import { writeFileSync, existsSync, copyFileSync } from 'fs';
+import { generateNginxConfig } from './nginx.js';
+
+/**
+ * Check if certbot is installed
+ * @returns {Promise<boolean>} True if certbot is installed
+ */
+export async function isCertbotInstalled() {
+  try {
+    await execa('which', ['certbot']);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Install certbot on Ubuntu/Debian
+ * @param {Object} spinner - Ora spinner instance
+ * @returns {Promise<void>}
+ */
+export async function installCertbot(spinner) {
+  try {
+    spinner.text = 'Installing certbot...';
+
+    // Update package list
+    await execa('apt-get', ['update', '-qq'], { stdio: 'pipe' });
+
+    // Install certbot
+    await execa('apt-get', ['install', '-y', '-qq', 'certbot', 'python3-certbot-nginx'], { stdio: 'pipe' });
+
+    spinner.succeed('Certbot installed successfully');
+    return true;
+  } catch (error) {
+    spinner.fail('Failed to install certbot');
+    throw new Error(`Certbot installation failed: ${error.message}`);
+  }
+}
+
+/**
+ * Check if a domain has valid DNS resolution
+ * @param {string} domain - Domain to check
+ * @returns {Promise<boolean>} True if domain resolves
+ */
+export async function checkDomainDNS(domain) {
+  try {
+    const { stdout } = await execa('host', [domain], { stdio: 'pipe' });
+    return stdout.includes('has address') || stdout.includes('has IPv6 address');
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Obtain SSL certificate using certbot
+ * @param {Object} config - Configuration object
+ * @param {string} config.domain - Domain name (e.g., ante.example.com)
+ * @param {string} config.email - Email for certificate notifications
+ * @param {boolean} [config.staging=false] - Use staging environment for testing
+ * @returns {Promise<void>}
+ */
+export async function obtainSSLCertificate(config) {
+  const { domain, email, staging = false } = config;
+  const spinner = ora(`Obtaining SSL certificate for ${domain}...`).start();
+
+  try {
+    // Check if certbot is installed
+    const certbotInstalled = await isCertbotInstalled();
+    if (!certbotInstalled) {
+      spinner.text = 'Certbot not found, installing...';
+      await installCertbot(spinner);
+      spinner.start(`Obtaining SSL certificate for ${domain}...`);
+    }
+
+    // Check DNS resolution
+    spinner.text = `Checking DNS resolution for ${domain}...`;
+    const dnsResolved = await checkDomainDNS(domain);
+    if (!dnsResolved) {
+      spinner.warn(`Warning: ${domain} does not resolve to an IP address`);
+      console.log(chalk.yellow('\n⚠  DNS Check Failed:'));
+      console.log(chalk.gray('   The domain does not currently resolve. Certbot may fail.'));
+      console.log(chalk.gray('   Make sure your DNS is properly configured before continuing.\n'));
+    }
+
+    spinner.text = `Obtaining SSL certificate for ${domain}...`;
+
+    // Build certbot command
+    const certbotArgs = [
+      'certonly',
+      '--nginx',
+      '-d', domain,
+      '--email', email,
+      '--agree-tos',
+      '--no-eff-email',
+      '--non-interactive'
+    ];
+
+    // Add staging flag if testing
+    if (staging) {
+      certbotArgs.push('--staging');
+    }
+
+    // Run certbot
+    try {
+      await execa('certbot', certbotArgs, { stdio: 'pipe' });
+      spinner.succeed(`SSL certificate obtained for ${domain}`);
+    } catch (error) {
+      spinner.fail(`Failed to obtain SSL certificate for ${domain}`);
+      throw new Error(`Certbot failed: ${error.message}`);
+    }
+
+    return true;
+  } catch (error) {
+    spinner.fail('Failed to obtain SSL certificate');
+    throw error;
+  }
+}
+
+/**
+ * Update NGINX configuration to use SSL
+ * @param {Object} config - Configuration object
+ * @param {string} config.frontendDomain - Frontend domain URL
+ * @param {string} config.apiDomain - API domain URL
+ * @param {number} [config.frontendPort=8080] - Frontend port
+ * @param {number} [config.apiPort=3001] - API port
+ * @returns {Promise<void>}
+ */
+export async function updateNginxForSSL(config) {
+  const { frontendDomain, apiDomain, frontendPort = 8080, apiPort = 3001 } = config;
+  const spinner = ora('Updating NGINX configuration for HTTPS...').start();
+
+  try {
+    const configPath = '/etc/nginx/sites-enabled/ante';
+    const backupPath = `${configPath}.backup`;
+
+    // Check if config exists
+    if (!existsSync(configPath)) {
+      spinner.fail('NGINX configuration not found');
+      throw new Error('Please run "ante set-domain" first to configure NGINX');
+    }
+
+    // Backup existing configuration
+    spinner.text = 'Backing up current NGINX configuration...';
+    copyFileSync(configPath, backupPath);
+
+    // Generate new SSL-enabled configuration
+    spinner.text = 'Generating SSL configuration...';
+    const sslConfig = generateNginxConfig({
+      frontendDomain,
+      apiDomain,
+      frontendPort,
+      apiPort,
+      ssl: true
+    });
+
+    // Write new configuration
+    writeFileSync(configPath, sslConfig);
+
+    // Test NGINX configuration
+    spinner.text = 'Testing NGINX configuration...';
+    try {
+      const { stderr } = await execa('nginx', ['-t'], { stdio: 'pipe' });
+
+      // Check for warnings
+      if (stderr && !stderr.includes('syntax is ok')) {
+        console.log(chalk.yellow('\n⚠  NGINX warnings:'));
+        console.log(chalk.gray(stderr));
+      }
+    } catch (error) {
+      spinner.fail('NGINX configuration test failed');
+
+      // Restore backup
+      console.log(chalk.yellow('\n⚠  Restoring previous configuration...'));
+      copyFileSync(backupPath, configPath);
+
+      throw new Error(`Invalid NGINX configuration: ${error.stderr || error.message}`);
+    }
+
+    // Reload NGINX
+    spinner.text = 'Reloading NGINX...';
+    try {
+      await execa('systemctl', ['reload', 'nginx'], { stdio: 'pipe' });
+    } catch {
+      // If reload fails, try restart
+      await execa('systemctl', ['restart', 'nginx'], { stdio: 'pipe' });
+    }
+
+    // Verify NGINX is running
+    const { stdout } = await execa('systemctl', ['is-active', 'nginx'], { stdio: 'pipe' });
+    if (stdout.trim() !== 'active') {
+      throw new Error('NGINX failed to start after configuration update');
+    }
+
+    spinner.succeed('NGINX configured for HTTPS');
+
+    // Show configuration info
+    const frontendHost = frontendDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
+    const apiHost = apiDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
+    console.log(chalk.gray('\n📝 NGINX Configuration:'));
+    console.log(chalk.gray(`   Frontend: https://${frontendHost} → localhost:${frontendPort}`));
+    console.log(chalk.gray(`   API: https://${apiHost} → localhost:${apiPort}`));
+    console.log(chalk.gray(`   HTTP redirects to HTTPS: Enabled\n`));
+
+  } catch (error) {
+    spinner.fail('Failed to update NGINX configuration');
+    throw error;
+  }
+}
+
+/**
+ * Setup automatic SSL certificate renewal via cron
+ * @returns {Promise<void>}
+ */
+export async function setupAutoRenewal() {
+  const spinner = ora('Setting up automatic SSL renewal...').start();
+
+  try {
+    // Check if certbot timer is enabled (systemd-based auto-renewal)
+    try {
+      const { stdout } = await execa('systemctl', ['is-enabled', 'certbot.timer'], { stdio: 'pipe' });
+      if (stdout.trim() === 'enabled') {
+        spinner.succeed('Automatic SSL renewal already configured (systemd timer)');
+        return;
+      }
+    } catch {
+      // Timer not enabled, continue with cron setup
+    }
+
+    // Try to enable systemd timer first (modern approach)
+    try {
+      await execa('systemctl', ['enable', 'certbot.timer'], { stdio: 'pipe' });
+      await execa('systemctl', ['start', 'certbot.timer'], { stdio: 'pipe' });
+      spinner.succeed('Automatic SSL renewal configured (systemd timer)');
+      return;
+    } catch {
+      // Systemd timer not available, fallback to cron
+    }
+
+    // Fallback: Setup cron job
+    const cronJob = '0 3 * * * certbot renew --quiet --nginx --post-hook "systemctl reload nginx"';
+    const cronFile = '/etc/cron.d/certbot-renewal';
+
+    // Write cron job
+    writeFileSync(cronFile, `# Certbot automatic renewal\nSHELL=/bin/bash\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n\n${cronJob}\n`);
+
+    // Set proper permissions
+    await execa('chmod', ['644', cronFile]);
+
+    spinner.succeed('Automatic SSL renewal configured (cron)');
+
+    console.log(chalk.gray('\n📝 SSL Renewal Details:'));
+    console.log(chalk.gray('   Renewal check: Daily at 3:00 AM'));
+    console.log(chalk.gray('   Method: Cron job'));
+    console.log(chalk.gray('   Certificates will auto-renew when within 30 days of expiry\n'));
+
+  } catch (error) {
+    spinner.fail('Failed to setup automatic renewal');
+    throw error;
+  }
+}
+
+/**
+ * Check SSL certificate status for a domain
+ * @param {string} domain - Domain name
+ * @returns {Promise<Object>} Certificate status information
+ */
+export async function checkSSLStatus(domain) {
+  try {
+    const certPath = `/etc/letsencrypt/live/${domain}/cert.pem`;
+
+    if (!existsSync(certPath)) {
+      return {
+        installed: false,
+        message: 'No SSL certificate found'
+      };
+    }
+
+    // Get certificate expiry date
+    const { stdout } = await execa('openssl', [
+      'x509',
+      '-enddate',
+      '-noout',
+      '-in',
+      certPath
+    ], { stdio: 'pipe' });
+
+    const expiryMatch = stdout.match(/notAfter=(.+)/);
+    const expiryDate = expiryMatch ? new Date(expiryMatch[1]) : null;
+
+    if (expiryDate) {
+      const daysUntilExpiry = Math.floor((expiryDate - new Date()) / (1000 * 60 * 60 * 24));
+
+      return {
+        installed: true,
+        expiryDate: expiryDate.toISOString(),
+        daysUntilExpiry,
+        status: daysUntilExpiry > 30 ? 'valid' : 'expiring-soon'
+      };
+    }
+
+    return {
+      installed: true,
+      message: 'Certificate found but unable to parse expiry date'
+    };
+
+  } catch (error) {
+    return {
+      installed: false,
+      error: error.message
+    };
+  }
+}
+
+/**
+ * Extract domain from URL
+ * @param {string} url - URL string
+ * @returns {string} Domain name
+ */
+export function extractDomain(url) {
+  try {
+    const parsed = new URL(url);
+    return parsed.hostname;
+  } catch {
+    return url;
+  }
+}