Add automatic SSL/TLS certificate setup

- Adds Let's Encrypt support for production (with auto-renewal via certbot.timer)
- Falls back to self-signed certificate for development/testing
- New SSL_EMAIL environment variable enables production SSL
- HTTPS redirect automatically configured for all sites
- Updates INSTALL.md with SSL documentation and examples

Production usage:
  SSL_EMAIL=admin@example.com APACHE_SERVER_NAME=pos.example.com

Development usage (self-signed cert):
  APACHE_SERVER_NAME=localhost (default)

INSTALL.md

@@ -118,6 +118,7 @@ The installer will:
 - Download the **latest stable release** of OSPOS from GitHub
 - Create a database with secure random password
 - Configure OSPOS and Apache
+- **Set up SSL/TLS certificates** (Let's Encrypt or self-signed)
 - Display login credentials after completion
 
 **Customization (optional):**
@@ -127,6 +128,9 @@ curl -sSL https://opensourcepos.org/install | DB_PASS=mypassword APACHE_SERVER_N
 
 # Install a specific OSPOS version
 curl -sSL https://opensourcepos.org/install | OSPOS_VERSION=3.4.2 sudo -E bash
+
+# Production setup with Let's Encrypt SSL (recommended)
+curl -sSL https://opensourcepos.org/install | APACHE_SERVER_NAME=pos.example.com SSL_EMAIL=admin@example.com sudo -E bash
 ```
 
 **Environment variables:**
@@ -137,6 +141,11 @@ curl -sSL https://opensourcepos.org/install | OSPOS_VERSION=3.4.2 sudo -E bash
 - `OSPOS_VERSION` - OSPOS version to install (default: latest stable release)
 - `PHP_VERSION` - PHP version (default: 8.2)
 - `APACHE_SERVER_NAME` - Server hostname (default: localhost)
+- `SSL_EMAIL` - Email for Let's Encrypt (production SSL). If set, enables production SSL with auto-renewal
+
+**SSL/TLS Configuration:**
+- **Production (recommended):** Set `SSL_EMAIL=your@email.com` to use Let's Encrypt with automatic renewal
+- **Development/Testing:** Without `SSL_EMAIL`, a self-signed certificate is generated (your browser will show a security warning)
 
 > **Note:** If the short URL is unavailable, use the direct GitHub URL:
 > ```bash
@@ -145,4 +154,4 @@ curl -sSL https://opensourcepos.org/install | OSPOS_VERSION=3.4.2 sudo -E bash
 
 For other cloud providers or manual installation, see the [detailed installation guide](https://github.com/opensourcepos/opensourcepos/wiki/Getting-Started-installations) in the wiki.
 
-**Important:** After installation, change the default password and configure SSL/TLS certificates for production use.
+**Important:** Change the default password after first login!

scripts/install-ubuntu.sh

@@ -29,6 +29,7 @@ OSPOS_DIR="${OSPOS_DIR:-/var/www/ospos}"
 OSPOS_VERSION="${OSPOS_VERSION:-}"
 PHP_VERSION="${PHP_VERSION:-8.2}"
 APACHE_SERVER_NAME="${APACHE_SERVER_NAME:-localhost}"
+SSL_EMAIL="${SSL_EMAIL:-}"
 MYSQL_ROOT_PASS="${MYSQL_ROOT_PASS:-}"
 
 echo -e "${COLOR_YELLOW}Configuration:${COLOR_RESET}"
@@ -42,6 +43,12 @@ if [ -n "$OSPOS_VERSION" ]; then
 else
     echo -e "  OSPOS Version: latest"
 fi
+if [ -n "$SSL_EMAIL" ]; then
+    echo -e "  SSL Email: ${SSL_EMAIL}"
+    echo -e "  SSL: Let's Encrypt (production)"
+else
+    echo -e "  SSL: Self-signed certificate"
+fi
 echo ""
 
 if [ -d "$OSPOS_DIR" ]; then
@@ -50,10 +57,10 @@ if [ -d "$OSPOS_DIR" ]; then
     exit 1
 fi
 
-echo -e "${COLOR_GREEN}[1/9] Updating system packages...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[1/11] Updating system packages...${COLOR_RESET}"
 apt-get update -qq
 
-echo -e "${COLOR_GREEN}[2/9] Installing Apache, PHP, and dependencies...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[2/11] Installing Apache, PHP, and dependencies...${COLOR_RESET}"
 apt-get install -y -qq \
     apache2 \
     mariadb-server \
@@ -73,19 +80,19 @@ apt-get install -y -qq \
     unzip \
     openssl
 
-echo -e "${COLOR_GREEN}[3/9] Starting MariaDB...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[3/11] Starting MariaDB...${COLOR_RESET}"
 systemctl start mariadb
 systemctl enable mariadb
 
 if [ -z "$MYSQL_ROOT_PASS" ]; then
-    echo -e "${COLOR_GREEN}[3/9] Securing MariaDB installation...${COLOR_RESET}"
+    echo -e "${COLOR_BLUE}Securing MariaDB installation...${COLOR_RESET}"
     mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '';"
     mysql -e "FLUSH PRIVILEGES;"
 else
     mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASS}';"
 fi
 
-echo -e "${COLOR_GREEN}[4/9] Creating database and user...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[4/11] Creating database and user...${COLOR_RESET}"
 mysql -u root <<EOF
 CREATE DATABASE IF NOT EXISTS ${DB_NAME} CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
 CREATE USER IF NOT EXISTS '${DB_USER}'@'${DB_HOST}' IDENTIFIED BY '${DB_PASS}';
@@ -93,7 +100,7 @@ GRANT ALL PRIVILEGES ON ${DB_NAME}.* TO '${DB_USER}'@'${DB_HOST}';
 FLUSH PRIVILEGES;
 EOF
 
-echo -e "${COLOR_GREEN}[5/9] Downloading OSPOS...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[5/11] Downloading OSPOS...${COLOR_RESET}"
 mkdir -p /var/www
 cd /var/www
 
@@ -120,7 +127,7 @@ rm -rf ospos-temp ospos.zip
 
 echo -e "${COLOR_GREEN}Downloaded OSPOS ${OSPOS_VERSION}${COLOR_RESET}"
 
-echo -e "${COLOR_GREEN}[6/9] Setting up OSPOS...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[6/11] Setting up OSPOS...${COLOR_RESET}"
 cd ${OSPOS_DIR}
 
 curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer 2>/dev/null
@@ -130,7 +137,7 @@ if [ -f "composer.json" ]; then
     composer install --no-dev --optimize-autoloader --no-interaction --quiet 2>/dev/null
 fi
 
-echo -e "${COLOR_GREEN}[7/9] Configuring OSPOS...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[7/11] Configuring OSPOS...${COLOR_RESET}"
 if [ -f ".env.example" ]; then
     cp .env.example .env
     sed -i "s/database\.default\.hostname = localhost/database.default.hostname = ${DB_HOST}/" .env
@@ -140,10 +147,10 @@ if [ -f ".env.example" ]; then
     sed -i "s/CI_ENVIRONMENT = development/CI_ENVIRONMENT = production/" .env
 fi
 
-echo -e "${COLOR_GREEN}[8/9] Importing database schema...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[8/11] Importing database schema...${COLOR_RESET}"
 mysql -u root ${DB_NAME} < app/Database/database.sql
 
-echo -e "${COLOR_GREEN}[9/9] Configuring Apache...${COLOR_RESET}"
+echo -e "${COLOR_GREEN}[9/11] Configuring Apache...${COLOR_RESET}"
 cat > /etc/apache2/sites-available/ospos.conf <<EOF
 <VirtualHost *:80>
     ServerName ${APACHE_SERVER_NAME}
@@ -170,6 +177,69 @@ chmod -R 750 ${OSPOS_DIR}/writable
 systemctl restart apache2
 systemctl enable apache2
 
+echo -e "${COLOR_GREEN}[10/11] Setting up SSL...${COLOR_RESET}"
+if [ -n "$SSL_EMAIL" ]; then
+    echo -e "${COLOR_BLUE}Installing Certbot for Let's Encrypt...${COLOR_RESET}"
+    apt-get install -y -qq certbot python3-certbot-apache
+    
+    echo -e "${COLOR_BLUE}Obtaining SSL certificate...${COLOR_RESET}"
+    certbot --apache -d ${APACHE_SERVER_NAME} --non-interactive --agree-tos --email ${SSL_EMAIL} --redirect
+    
+    echo -e "${COLOR_BLUE}Setting up auto-renewal...${COLOR_RESET}"
+    systemctl enable certbot.timer
+    systemctl start certbot.timer
+    
+    PROTOCOL="https"
+else
+    echo -e "${COLOR_BLUE}Generating self-signed SSL certificate...${COLOR_RESET}"
+    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -keyout /etc/ssl/private/ospos-selfsigned.key \
+        -out /etc/ssl/certs/ospos-selfsigned.crt \
+        -subj "/C=US/ST=State/L=City/O=Organization/CN=${APACHE_SERVER_NAME}" 2>/dev/null
+    
+    cat > /etc/apache2/sites-available/ospos-ssl.conf <<EOF
+<VirtualHost *:443>
+    ServerName ${APACHE_SERVER_NAME}
+    DocumentRoot ${OSPOS_DIR}/public
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/certs/ospos-selfsigned.crt
+    SSLCertificateKeyFile /etc/ssl/private/ospos-selfsigned.key
+
+    <Directory ${OSPOS_DIR}/public>
+        Options Indexes FollowSymLinks
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    ErrorLog \${APACHE_LOG_DIR}/ospos_ssl_error.log
+    CustomLog \${APACHE_LOG_DIR}/ospos_ssl_access.log combined
+</VirtualHost>
+EOF
+    
+    a2enmod ssl
+    a2ensite ospos-ssl.conf
+    
+    cat > /etc/apache2/sites-available/ospos.conf <<EOF
+<VirtualHost *:80>
+    ServerName ${APACHE_SERVER_NAME}
+    Redirect permanent / https://${APACHE_SERVER_NAME}/
+</VirtualHost>
+EOF
+    
+    a2dissite ospos.conf
+    a2ensite ospos.conf
+    
+    PROTOCOL="https"
+fi
+
+systemctl restart apache2
+
+echo -e "${COLOR_GREEN}[11/11] Configuring allowed hostnames...${COLOR_RESET}"
+if [ -f "${OSPOS_DIR}/.env" ]; then
+    sed -i "s/app\.allowedHostnames\.0 = 'localhost'/app.allowedHostnames.0 = '${APACHE_SERVER_NAME}'/" ${OSPOS_DIR}/.env
+fi
+
 echo ""
 echo -e "${COLOR_GREEN}╔══════════════════════════════════════════════════════════╗${COLOR_RESET}"
 echo -e "${COLOR_GREEN}║            Installation Complete!                         ║${COLOR_RESET}"
@@ -181,7 +251,17 @@ echo -e "  Username: ${DB_USER}"
 echo -e "  Password: ${DB_PASS}"
 echo ""
 echo -e "${COLOR_YELLOW}Login Credentials:${COLOR_RESET}"
-echo -e "  URL:      http://${APACHE_SERVER_NAME}/"
+if [ -n "$SSL_EMAIL" ]; then
+    echo -e "  URL:      https://${APACHE_SERVER_NAME}/"
+    echo -e "  SSL:      Let's Encrypt (auto-renewal enabled)"
+else
+    echo -e "  URL:      https://${APACHE_SERVER_NAME}/"
+    echo -e "  SSL:      Self-signed certificate"
+    echo -e ""
+    echo -e "${COLOR_YELLOW}Note: Your browser will show a security warning for self-signed${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}      certificates. For production, use Let's Encrypt by setting${COLOR_RESET}"
+    echo -e "${COLOR_YELLOW}      SSL_EMAIL=your@email.com${COLOR_RESET}"
+fi
 echo -e "  Username: admin"
 echo -e "  Password: pointofsale"
 echo ""