cert-puller tries to install certs no longer listed in .conf file

[dlangille]

Downloaded certs are stored in /var/db/anvil (or DOWNLOAD_DIR).

If you remove a cert from the .conf file, cert-puller will no longer attempt to fetch that cert.

When modifying the .conf file, best practice is to run cert-puller -s and use the output to update the sudoers file (on FreeBSD, via visudo).

However, the removed cert is stashed in DOWNLOAD_DIR and you'll get sudo errors when cert-puller attempts to install that cert, because it's in DOWNLOAD_DIR

Two solutions:

1. clear DOWNLOAD_DIR upon startup

2. use the list of configured certs to walk through DOWNLOAD_DIR contents finding stuff to install.

Either should work.

The clear option starts with a fresh slate. At present, cert-puller never deletes anything in that directory. A delete will be safe because this is running as non-root.

The .conf file solution is clean because then the fetch and the install both use the same source and ignores what is on disk.

[dlangille]

The current solution to this problem: remove the errant cert from /var/db/anvil

[dlangille]

This hit me again today and I spent about 20 minutes trying to find my configuration error. :/

[dlangille]

I think DOWNLOADDIR should be changed to ~anvil/downloads.

After a run, delete what is in that directory.

I know I have done an su -l anvil to debug issues. This created a .bash_history file which anvil then attempted to in the certs directory. Let's not do that again. ;)

I say installed because sudo permissions prevented that.