Bump boulder version to release-2024-12-10

2026-01-27 10:19:34 +00:00 · 2024-12-13 18:00:40 +01:00
parent 7de126698f
commit 120048ff30
20 changed files with 65 additions and 88 deletions
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-10-28"
+boulderTag="release-2024-12-10"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/tmp2.patch
+++ b/build/tmp2.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index c3a3ed7b8..ef54a180d 100644
+index 93d0c25bc..237472a2e 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -173,6 +173,9 @@ processes = []
+@@ -169,6 +169,9 @@ processes = []
 challSrvProcess = None
 
 def install(race_detection):
--- a/control_do.sh
+++ b/control_do.sh
@@ -36,10 +36,6 @@ setup_boulder_data() {
    sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json
    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
    sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
-    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json
-    sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-a.json
-    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-b.json
-    sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-b.json

    /opt/labca/apply-boulder
 }
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -65,8 +65,6 @@ fi
 perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-a.json
 perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-b.json
 perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json
-perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-a.json
-perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-b.json
 perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/bad-key-revoker.json
 perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/expiration-mailer.json
 for fl in $(grep -Rl maxConnectionAge config/); do
@@ -75,8 +73,6 @@ done
 sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-a.json
 sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-b.json
 sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json
-sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-a.json
-sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-b.json
 sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_DOMAIN\"/" config/wfe2.json

 if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then
@@ -149,8 +145,6 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]
    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-a.json
    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-b.json
    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json
-    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-a.json
-    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-b.json
 fi

 CRLINT=24h
@@ -258,7 +252,7 @@ if [ -e $PKI_ROOT_CERT_BASE.pem ]; then
    cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem
 fi

-chown -R `ls -l example-weak-keys.json | cut -d" " -f 3,4 | sed 's/ /:/g'` .
+chown -R `ls -l helpers.py | cut -d" " -f 3,4 | sed 's/ /:/g'` .

 if [ -e $PKI_INT_CERT_BASE.key ] && [ -e $PKI_ROOT_CERT_BASE.pem ]; then
    [ -f setup_complete ] || touch setup_complete
--- a/6
+++ b/6
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-10-28"
+boulderTag="release-2024-12-10"

 # Feature flags
 flag_skip_redis=true
@@ -676,10 +676,6 @@ config_boulder() {
        sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json
        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
        sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
-        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json
-        sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-a.json
-        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-b.json
-        sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va-remote-b.json
        cd "$boulderDir"
    fi

--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -33,13 +33,9 @@ cp test/config/va*.json "$boulderLabCADir/config/"
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-a.json
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-b.json
-perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-a.json
-perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-b.json
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-a.json
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-b.json
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json
-perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-a.json
-perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-b.json

 if [ "$flag_skip_redis" == true ]; then
    perl -i -p0e "s/\n    \"redis\": \{\n.*?    \},//igs" $boulderLabCADir/config/ocsp-responder.json
@@ -76,13 +72,9 @@ sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-a.j
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-b.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json
-sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json
-sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-a.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json
-sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json
-sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json
 sed -i -e "s/\"endpoint\": \".*\"/\"endpoint\": \"\"/" config/sfe.json
 sed -i -e "s/sleep 1/sleep 5/g" wait-for-it.sh

--- a/patches/bad-key-revoker_main.patch
+++ b/patches/bad-key-revoker_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
-index e7015e0c8..9e226d2fa 100644
+index c333b88c3..839437c4e 100644
 --- a/cmd/bad-key-revoker/main.go
 +++ b/cmd/bad-key-revoker/main.go
@@ -18,6 +18,7 @@ import (
@@ -10,7 +10,7 @@ index e7015e0c8..9e226d2fa 100644
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/config"
 	"github.com/letsencrypt/boulder/core"
-@@ -396,6 +397,11 @@ type Config struct {
+@@ -398,6 +399,11 @@ type Config struct {
 		TLS       cmd.TLSConfig
 		RAService *cmd.GRPCClientConfig
 
@@ -22,7 +22,7 @@ index e7015e0c8..9e226d2fa 100644
 		// MaximumRevocations specifies the maximum number of certificates associated with
 		// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
 		// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
-@@ -467,8 +473,35 @@ func main() {
+@@ -469,8 +475,35 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
 	rac := rapb.NewRegistrationAuthorityClient(conn)
 
@@ -59,7 +59,7 @@ index e7015e0c8..9e226d2fa 100644
 		pem, err := os.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
 		cmd.FailOnError(err, "Loading trusted roots file")
 		smtpRoots = x509.NewCertPool()
-@@ -488,6 +521,8 @@ func main() {
+@@ -490,6 +523,8 @@ func main() {
 		config.BadKeyRevoker.Mailer.Username,
 		smtpPassword,
 		smtpRoots,
--- a/patches/boulder-va_main.patch
+++ b/patches/boulder-va_main.patch
@@ -1,16 +1,16 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index 60353424a..90dbe627a 100644
+index f2c2c8487..86fb29457 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -21,6 +21,7 @@ type Config struct {
- 		RemoteVAs                   []cmd.GRPCClientConfig `validate:"omitempty,dive"`
- 		MaxRemoteValidationFailures int                    `validate:"omitempty,min=0,required_with=RemoteVAs"`
+@@ -56,6 +56,7 @@ type Config struct {
+ 		// Deprecated and ignored
+ 		MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"`
 		Features                    features.Config
 +		LabCADomains                []string
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -117,7 +118,8 @@ func main() {
+@@ -153,7 +154,8 @@ func main() {
 		logger,
 		c.VA.AccountURIPrefixes,
 		va.PrimaryPerspective,
--- a/patches/ca_ca.patch
+++ b/patches/ca_ca.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index d2d48e558..a6114ffdd 100644
+index 87a6fc52c..739ce53e7 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -159,10 +159,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -177,10 +177,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 		}
 	}
 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
--- a/patches/cert-checker_main.patch
+++ b/patches/cert-checker_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index d432fde00..1380c1cc5 100644
+index 975922c58..3767e83bb 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
@@ -106,6 +106,7 @@ type certChecker struct {
@@ -58,7 +58,7 @@ index d432fde00..1380c1cc5 100644
 	// Validate PA config and set defaults if needed.
 	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
 
-@@ -584,6 +590,7 @@ func main() {
+@@ -578,6 +584,7 @@ func main() {
 		config.CertChecker.CheckPeriod.Duration,
 		acceptableValidityDurations,
 		logger,
--- a/patches/config_ra.patch
+++ b/patches/config_ra.patch
@@ -1,8 +1,8 @@
 diff --git a/test/config/ra.json b/test/config/ra.json
-index e9f79e4f0..204f605c3 100644
+index e13ca9cf8..cda9192ab 100644
 --- a/test/config/ra.json
 +++ b/test/config/ra.json
-@@ -14,12 +14,7 @@
+@@ -12,12 +12,7 @@
 		},
 		"orderLifetime": "168h",
 		"issuerCerts": [
--- a/patches/config_wfe2.patch
+++ b/patches/config_wfe2.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/wfe2.json b/test/config/wfe2.json
-index 05d46fe95..c0e4a2a27 100644
+index 6a5f95ef0..b880db50f 100644
 --- a/test/config/wfe2.json
 +++ b/test/config/wfe2.json
@@ -12,6 +12,7 @@
@@ -8,9 +8,9 @@ index 05d46fe95..c0e4a2a27 100644
 		"directoryWebsite": "https://github.com/letsencrypt/boulder",
 +		"hostnamePolicyFile": "test/hostname-policy.yaml",
 		"legacyKeyIDPrefix": "http://boulder.service.consul:4000/reg/",
- 		"goodkey": {
- 			"blockedKeyFile": "test/example-blocked-keys.yaml"
-@@ -79,26 +80,6 @@
+ 		"goodkey": {},
+ 		"tls": {
+@@ -77,26 +78,6 @@
 			[
 				"test/certs/webpki/int-rsa-a.cert.pem",
 				"test/certs/webpki/root-rsa.cert.pem"
--- a/patches/expiration-mailer_main.patch
+++ b/patches/expiration-mailer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
-index 46fa939a6..43f7c11b5 100644
+index eed765273..e17bfde1c 100644
 --- a/cmd/expiration-mailer/main.go
 +++ b/cmd/expiration-mailer/main.go
@@ -23,6 +23,7 @@ import (
@@ -31,9 +31,9 @@ index 46fa939a6..43f7c11b5 100644
 -		err = policy.ValidEmail(address)
 +		err = pa.ValidEmail(address)
 		if err != nil {
- 			m.log.Debugf("skipping invalid email %q: %s", address, err)
+ 			m.log.Debugf("skipping invalid email: %s", err)
 			continue
-@@ -701,6 +706,11 @@ type Config struct {
+@@ -697,6 +702,11 @@ type Config struct {
 		TLS       cmd.TLSConfig
 		SAService *cmd.GRPCClientConfig
 
@@ -45,7 +45,7 @@ index 46fa939a6..43f7c11b5 100644
 		// Path to a file containing a list of trusted root certificates for use
 		// during the SMTP connection (as opposed to the gRPC connections).
 		SMTPTrustedRootFile string
-@@ -854,8 +864,35 @@ func main() {
+@@ -850,8 +860,35 @@ func main() {
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 	sac := sapb.NewStorageAuthorityClient(conn)
 
@@ -82,7 +82,7 @@ index 46fa939a6..43f7c11b5 100644
 		pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile)
 		cmd.FailOnError(err, "Loading trusted roots file")
 		smtpRoots = x509.NewCertPool()
-@@ -889,6 +926,8 @@ func main() {
+@@ -885,6 +922,8 @@ func main() {
 		c.Mailer.Username,
 		smtpPassword,
 		smtpRoots,
--- a/patches/policy_pa.patch
+++ b/patches/policy_pa.patch
@@ -1,5 +1,5 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index 26edbdbdf..177fddba2 100644
+index fac69d3b9..217c465fe 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
@@ -31,6 +31,9 @@ type AuthorityImpl struct {
@@ -110,7 +110,7 @@ index 26edbdbdf..177fddba2 100644
 }
 
 // forbiddenMailDomains is a map of domain names we do not allow after the
-@@ -333,7 +361,7 @@ var forbiddenMailDomains = map[string]bool{
+@@ -333,14 +361,14 @@ var forbiddenMailDomains = map[string]bool{
 // ValidEmail returns an error if the input doesn't parse as an email address,
 // the domain isn't a valid hostname in Preferred Name Syntax, or its on the
 // list of domains forbidden for mail (because they are often used in examples).
@@ -118,17 +118,16 @@ index 26edbdbdf..177fddba2 100644
 +func (pa *AuthorityImpl) ValidEmail(address string) error {
 	email, err := mail.ParseAddress(address)
 	if err != nil {
- 		if len(address) > 254 {
-@@ -343,7 +371,7 @@ func ValidEmail(address string) error {
+ 		return berrors.InvalidEmailError("unable to parse email address")
 	}
 	splitEmail := strings.SplitN(email.Address, "@", -1)
 	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
 -	err = validNonWildcardDomain(domain)
 +	err = pa.ValidNonWildcardDomain(domain, true)
 	if err != nil {
- 		return berrors.InvalidEmailError(
- 			"contact email %q has invalid domain : %s",
-@@ -387,7 +415,7 @@ func subError(name string, err error) berrors.SubBoulderError {
+ 		return berrors.InvalidEmailError("contact email has invalid domain: %s", err)
+ 	}
+@@ -382,7 +410,7 @@ func subError(name string, err error) berrors.SubBoulderError {
 //
 // Precondition: all input domain names must be in lowercase.
 func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
@@ -137,7 +136,7 @@ index 26edbdbdf..177fddba2 100644
 	if err != nil {
 		return err
 	}
-@@ -406,6 +434,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
+@@ -401,6 +429,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
 			}
 		}
 
@@ -148,7 +147,7 @@ index 26edbdbdf..177fddba2 100644
 		// For both wildcard and non-wildcard domains, check whether any parent domain
 		// name is on the regular blocklist.
 		err := pa.checkHostLists(domain)
-@@ -439,10 +471,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
+@@ -434,10 +466,10 @@ func (pa *AuthorityImpl) WillingToIssue(domains []string) error {
 //
 // If multiple domains are invalid, the error will contain suberrors specific to
 // each domain.
@@ -161,7 +160,7 @@ index 26edbdbdf..177fddba2 100644
 		if err != nil {
 			subErrors = append(subErrors, subError(domain, err))
 		}
-@@ -476,6 +508,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
+@@ -471,6 +503,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
 	return nil
 }
 
@@ -196,7 +195,7 @@ index 26edbdbdf..177fddba2 100644
 // checkWildcardHostList checks the wildcardExactBlocklist for a given domain.
 // If the domain is not present on the list nil is returned, otherwise
 // errPolicyForbidden is returned.
-@@ -505,6 +565,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error {
+@@ -500,6 +560,9 @@ func (pa *AuthorityImpl) checkHostLists(domain string) error {
 	labels := strings.Split(domain, ".")
 	for i := range labels {
 		joined := strings.Join(labels[i:], ".")
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 63ed21376..018ed136c 100644
+index 64d494c74..7ae5bb471 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -44,7 +44,6 @@ import (
+@@ -43,7 +43,6 @@ import (
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -10,9 +10,9 @@ index 63ed21376..018ed136c 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -508,7 +507,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
- 				contact,
- 			)
+@@ -464,7 +463,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+ 		if !core.IsASCII(contact) {
+ 			return berrors.InvalidEmailError("contact email contains non-ASCII characters")
 		}
 -		err = policy.ValidEmail(parsed.Opaque)
 +		err = ra.PA.ValidEmail(parsed.Opaque)
--- a/patches/ratelimits_names.patch
+++ b/patches/ratelimits_names.patch
@@ -1,8 +1,8 @@
 diff --git a/ratelimits/names.go b/ratelimits/names.go
-index c70f39536..b0e14209c 100644
+index 99221ae0c..6106a34e7 100644
 --- a/ratelimits/names.go
 +++ b/ratelimits/names.go
-@@ -151,7 +151,11 @@ func validateRegId(id string) error {
+@@ -162,7 +162,11 @@ func validateRegId(id string) error {
 // validateDomain validates that the provided string is formatted 'domain',
 // where domain is a domain name.
 func validateDomain(id string) error {
@@ -15,7 +15,7 @@ index c70f39536..b0e14209c 100644
 	if err != nil {
 		return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err)
 	}
-@@ -172,7 +176,11 @@ func validateRegIdDomain(id string) error {
+@@ -183,7 +187,11 @@ func validateRegIdDomain(id string) error {
 		return fmt.Errorf(
 			"invalid regId, %q must be formatted 'regId:domain'", id)
 	}
@@ -28,7 +28,7 @@ index c70f39536..b0e14209c 100644
 	if err != nil {
 		return fmt.Errorf(
 			"invalid domain, %q must be formatted 'regId:domain': %w", id, err)
-@@ -188,7 +196,11 @@ func validateFQDNSet(id string) error {
+@@ -199,7 +207,11 @@ func validateFQDNSet(id string) error {
 		return fmt.Errorf(
 			"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
 	}
--- a/patches/remoteva_main.patch
+++ b/patches/remoteva_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
-index 49db5c179..7c5931a04 100644
+index 97320f971..6df388e3f 100644
 --- a/cmd/remoteva/main.go
 +++ b/cmd/remoteva/main.go
@@ -60,7 +60,8 @@ type Config struct {
@@ -12,7 +12,7 @@ index 49db5c179..7c5931a04 100644
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -143,7 +144,8 @@ func main() {
+@@ -142,7 +143,8 @@ func main() {
 		logger,
 		c.RVA.AccountURIPrefixes,
 		c.RVA.Perspective,
--- a/patches/va_va.patch
+++ b/patches/va_va.patch
@@ -1,8 +1,8 @@
 diff --git a/va/va.go b/va/va.go
-index 17c03cf6e..237d82c6b 100644
+index a1e2cd449..883298092 100644
 --- a/va/va.go
 +++ b/va/va.go
-@@ -260,6 +260,7 @@ type ValidationAuthorityImpl struct {
+@@ -215,6 +215,7 @@ type ValidationAuthorityImpl struct {
 	singleDialTimeout  time.Duration
 	perspective        string
 	rir                string
@@ -10,7 +10,7 @@ index 17c03cf6e..237d82c6b 100644
 
 	metrics *vaMetrics
 }
-@@ -280,6 +281,7 @@ func NewValidationAuthorityImpl(
+@@ -234,6 +235,7 @@ func NewValidationAuthorityImpl(
 	accountURIPrefixes []string,
 	perspective string,
 	rir string,
@@ -18,7 +18,7 @@ index 17c03cf6e..237d82c6b 100644
 ) (*ValidationAuthorityImpl, error) {
 
 	if len(accountURIPrefixes) == 0 {
-@@ -308,6 +310,7 @@ func NewValidationAuthorityImpl(
+@@ -271,6 +273,7 @@ func NewValidationAuthorityImpl(
 		singleDialTimeout: 10 * time.Second,
 		perspective:       perspective,
 		rir:               rir,
--- a/patches/wfe2_main.patch
+++ b/patches/wfe2_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
-index 61698d16c..0bebc2d4b 100644
+index 699ed0d78..01ae1f741 100644
 --- a/cmd/boulder-wfe2/main.go
 +++ b/cmd/boulder-wfe2/main.go
-@@ -95,7 +95,7 @@ type Config struct {
+@@ -105,7 +105,7 @@ type Config struct {
 		// DirectoryCAAIdentity is used for the /directory response's "meta"
 		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
 		// configuration value (this value is the one used to enforce CAA)
@@ -11,7 +11,7 @@ index 61698d16c..0bebc2d4b 100644
 		// DirectoryWebsite is used for the /directory response's "meta" element's
 		// "website" field.
 		DirectoryWebsite string `validate:"required,url"`
-@@ -182,6 +182,8 @@ type Config struct {
+@@ -192,6 +192,8 @@ type Config struct {
 			// to enable the pausing feature.
 			URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"`
 		}
@@ -20,7 +20,7 @@ index 61698d16c..0bebc2d4b 100644
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -387,6 +389,7 @@ func main() {
+@@ -403,6 +405,7 @@ func main() {
 		unpauseSigner,
 		c.WFE.Unpause.JWTLifetime.Duration,
 		c.WFE.Unpause.URL,
--- a/patches/wfe2_wfe.patch
+++ b/patches/wfe2_wfe.patch
@@ -1,16 +1,16 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index 1f4b11fa5..64239cf58 100644
+index 6b753b53d..e49164461 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
-@@ -25,6 +25,7 @@ import (
- 	"golang.org/x/exp/maps"
+@@ -23,6 +23,7 @@ import (
+ 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/protobuf/types/known/emptypb"
 
 +	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/core"
 	corepb "github.com/letsencrypt/boulder/core/proto"
 	berrors "github.com/letsencrypt/boulder/errors"
-@@ -174,6 +175,8 @@ type WebFrontEndImpl struct {
+@@ -177,6 +178,8 @@ type WebFrontEndImpl struct {
 	// descriptions (perhaps including URLs) of those profiles. NewOrder
 	// Requests with a profile name not present in this map will be rejected.
 	certProfiles map[string]string
@@ -19,7 +19,7 @@ index 1f4b11fa5..64239cf58 100644
 }
 
 // NewWebFrontEndImpl constructs a web service for Boulder
-@@ -201,6 +204,7 @@ func NewWebFrontEndImpl(
+@@ -204,6 +207,7 @@ func NewWebFrontEndImpl(
 	unpauseSigner unpause.JWTSigner,
 	unpauseJWTLifetime time.Duration,
 	unpauseURL string,
@@ -27,7 +27,7 @@ index 1f4b11fa5..64239cf58 100644
 ) (WebFrontEndImpl, error) {
 	if len(issuerCertificates) == 0 {
 		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
-@@ -242,6 +246,7 @@ func NewWebFrontEndImpl(
+@@ -245,6 +249,7 @@ func NewWebFrontEndImpl(
 		unpauseSigner:                unpauseSigner,
 		unpauseJWTLifetime:           unpauseJWTLifetime,
 		unpauseURL:                   unpauseURL,
@@ -35,7 +35,7 @@ index 1f4b11fa5..64239cf58 100644
 	}
 
 	return wfe, nil
-@@ -2308,8 +2313,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2374,8 +2379,25 @@ func (wfe *WebFrontEndImpl) NewOrder(
 		names[i] = ident.Value
 	}