Bump boulder version to release-2025-03-10

.github/workflows/build-standalone.yml

@@ -15,7 +15,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.23.1
+          - 1.24.1
 
     steps:
       - name: Checkout

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.23.1
+          - 1.24.1
 
     steps:
       - name: Checkout

build/Dockerfile-boulder

@@ -1,4 +1,4 @@
-FROM letsencrypt/boulder-tools:go1.23.1_2024-09-05 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.24.1_2025-03-10 AS boulder-tools
 
 FROM ubuntu:focal
 

build/build.sh

@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2025-02-14"
+boulderTag="release-2025-03-10"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 

build/docker-compose.yml

@@ -9,7 +9,7 @@ services:
       context: test/boulder-tools/
       # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
       args:
-        GO_VERSION: 1.23.1
+        GO_VERSION: 1.24.1
     environment:
       # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
       # to the IP address where your ACME client's solver is listening.

build/tmp2.patch

@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index 93d0c25bc..237472a2e 100644
+index c42a1bb51..9eeac8906 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -169,6 +169,9 @@ processes = []
+@@ -194,6 +194,9 @@ processes = []
  challSrvProcess = None
  
  def install(race_detection):

dev/versions

@@ -57,8 +57,13 @@ colorGoVersion() {
     local fileName="$1"
     local expectVersion="$2"
 
-    if [ ! -z "$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | grep $expectVersion || echo "")" ]; then
-        res=$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | sed -e "s/$expectVersion/${COL_LIGHT_GREEN}$expectVersion${COL_NC}/")
+    first=$(echo $expectVersion | cut -d " " -f 1)
+    second=$(echo $expectVersion | cut -d " " -f 2)
+
+    if [ ! -z "$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | grep $first || echo "")" ]; then
+        res=$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | sed -e "s/$first/${COL_LIGHT_GREEN}$first${COL_NC}/")
+    elif [ ! -z "$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | grep $second || echo "")" ]; then
+        res=$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | sed -e "s/$second/${COL_YELLOW}$second${COL_NC}/")
     else
         res=$(grep GO_VERSION -A 3 $fileName | egrep "\- [\"0-9]+" | sed -e "s/\([0-9\.]*\)/${COL_LIGHT_RED}\1${COL_NC}/g")
     fi
@@ -116,8 +121,8 @@ echo
 goversion=$(grep GO_VERSION -A 3 ../boulder/.github/workflows/release.yml | egrep "\- [\"0-9]+" | sed -e "s/\s*-\s*//" | sed -e "s/\"//g")
 echo "Boulder .github/workflows/release.yml"
 grep GO_VERSION -A 3 ../boulder/.github/workflows/release.yml | egrep "\- [\"0-9]+" | sed -e "s/yml-/yml/"
-colorGoVersion .github/workflows/release.yml $goversion
-colorGoVersion .github/workflows/build-standalone.yml $goversion
+colorGoVersion .github/workflows/release.yml "$goversion"
+colorGoVersion .github/workflows/build-standalone.yml "$goversion"
 echo
 
 goversion=$(grep GO_VERSION ../boulder/docker-compose.yml | sed -e "s/\s*GO_VERSION://")

install

@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2025-02-14"
+boulderTag="release-2025-03-10"
 
 #
 # Color configuration
@@ -238,12 +238,12 @@ clone_or_pull() {
 # Checkout the latest release tag
 checkout_release() {
     local branch="$1"
-    if [ "$branch" == "" ] || [ "$branch" == "master" ] || [ "$branch" == "main" ]; then
+    if [ "$branch" == "" ] || [ "$branch" == "master" ]; then
         cd "$cloneDir"
         if [ "$curChecksum" == "" ]; then
             curChecksum=$(md5sum $cloneDir/install 2>/dev/null | cut -d' ' -f1)
         fi
-        TAG=$(sudo -u labca -H git describe --tags $(sudo -u labca -H git rev-list --tags --max-count=1))
+        TAG=$(sudo -u labca -H git describe --tags origin/master | cut -d "-" -f 1)
         sudo -u labca -H git reset --hard $TAG &>>$installLog
     fi
 }

patch.sh

@@ -53,6 +53,7 @@ $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
 $SUDO patch -p1 < $cloneDir/patches/redis_config.patch
 $SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch
 $SUDO patch -p1 < $cloneDir/patches/start.patch
+$SUDO patch -p1 < $cloneDir/patches/test_startservers.patch
 if [ "$SUDO" == "" ]; then
     # TODO: should include this into startservers.patch
     $SUDO patch -p1 < $cloneDir/build/tmp2.patch

patches/boulder-ra_main.patch

@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
-index 038935507..44dadd086 100644
+index 5bc425c60..842277b13 100644
 --- a/cmd/boulder-ra/main.go
 +++ b/cmd/boulder-ra/main.go
-@@ -273,6 +273,8 @@ func main() {
+@@ -281,6 +281,8 @@ func main() {
  		limiterRedis, err = bredis.NewRingFromConfig(*c.RA.Limiter.Redis, scope, logger)
  		cmd.FailOnError(err, "Failed to create Redis ring")
  

patches/boulder-va_main.patch

@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index f2c2c8487..86fb29457 100644
+index e18989222..809e0c19e 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -56,6 +56,7 @@ type Config struct {
+@@ -52,6 +52,7 @@ type Config struct {
  		// Deprecated and ignored
  		MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"`
  		Features                    features.Config
@@ -10,12 +10,12 @@ index f2c2c8487..86fb29457 100644
  	}
  
  	Syslog        cmd.SyslogConfig
-@@ -153,7 +154,8 @@ func main() {
- 		logger,
+@@ -150,7 +151,8 @@ func main() {
  		c.VA.AccountURIPrefixes,
  		va.PrimaryPerspective,
--		"")
-+		"",
+ 		"",
+-		bdns.IsReservedIP)
++		bdns.IsReservedIP,
 +		c.VA.LabCADomains)
  	cmd.FailOnError(err, "Unable to create VA server")
  

patches/ca_ca.patch

@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index 3c4e8170c..11792593a 100644
+index a598fc5cd..264ec35cc 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -171,10 +171,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -182,10 +182,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
  		}
  	}
  	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {

patches/ca_ca_keytype_hack.patch

@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index 11792593a..92310d73b 100644
+index 264ec35cc..f56e9a342 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -171,10 +171,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -182,10 +182,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
  		}
  	}
  	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {

patches/ceremony_main.patch

@@ -1,10 +1,10 @@
 diff --git a/cmd/ceremony/main.go b/cmd/ceremony/main.go
-index f18979fef..0aa8eb0c7 100644
+index 12cc9249c..8ac5af0a3 100644
 --- a/cmd/ceremony/main.go
 +++ b/cmd/ceremony/main.go
 @@ -98,6 +98,7 @@ type keyGenConfig struct {
  	Type         string `yaml:"type"`
- 	RSAModLength uint   `yaml:"rsa-mod-length"`
+ 	RSAModLength int    `yaml:"rsa-mod-length"`
  	ECDSACurve   string `yaml:"ecdsa-curve"`
 +	Extractable  bool   `yaml:"extractable"`
  }

patches/ceremony_rsa.patch

@@ -1,17 +1,17 @@
 diff --git a/cmd/ceremony/rsa.go b/cmd/ceremony/rsa.go
-index 69e326b39..1bd60f750 100644
+index 7d0eb4b30..465857f3a 100644
 --- a/cmd/ceremony/rsa.go
 +++ b/cmd/ceremony/rsa.go
-@@ -18,7 +18,7 @@ const (
+@@ -19,7 +19,7 @@ const (
  // device and specifies which mechanism should be used. modulusLen specifies the
  // length of the modulus to be generated on the device in bits and exponent
  // specifies the public exponent that should be used.
--func rsaArgs(label string, modulusLen, exponent uint, keyID []byte) generateArgs {
-+func rsaArgs(label string, modulusLen, exponent uint, keyID []byte, extractable bool) generateArgs {
+-func rsaArgs(label string, modulusLen int, keyID []byte) generateArgs {
++func rsaArgs(label string, modulusLen int, keyID []byte, extractable bool) generateArgs {
  	// Encode as unpadded big endian encoded byte slice
- 	expSlice := big.NewInt(int64(exponent)).Bytes()
- 	log.Printf("\tEncoded public exponent (%d) as: %0X\n", exponent, expSlice)
-@@ -44,7 +44,7 @@ func rsaArgs(label string, modulusLen, exponent uint, keyID []byte) generateArgs
+ 	expSlice := big.NewInt(rsaExp).Bytes()
+ 	log.Printf("\tEncoded public exponent (%d) as: %0X\n", rsaExp, expSlice)
+@@ -45,7 +45,7 @@ func rsaArgs(label string, modulusLen int, keyID []byte) generateArgs {
  			// Prevent attributes being retrieved
  			pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true),
  			// Prevent the key being extracted from the device
@@ -20,20 +20,20 @@ index 69e326b39..1bd60f750 100644
  			// Allow the key to create signatures
  			pkcs11.NewAttribute(pkcs11.CKA_SIGN, true),
  		},
-@@ -75,14 +75,14 @@ func rsaPub(session *pkcs11helpers.Session, object pkcs11.ObjectHandle, modulusL
+@@ -76,14 +76,14 @@ func rsaPub(session *pkcs11helpers.Session, object pkcs11.ObjectHandle, modulusL
  // specified by modulusLen and with the exponent 65537.
  // It returns the public part of the generated key pair as a rsa.PublicKey
  // and the random key ID that the HSM uses to identify the key pair.
--func rsaGenerate(session *pkcs11helpers.Session, label string, modulusLen uint) (*rsa.PublicKey, []byte, error) {
-+func rsaGenerate(session *pkcs11helpers.Session, label string, modulusLen uint, extractable bool) (*rsa.PublicKey, []byte, error) {
+-func rsaGenerate(session *pkcs11helpers.Session, label string, modulusLen int) (*rsa.PublicKey, []byte, error) {
++func rsaGenerate(session *pkcs11helpers.Session, label string, modulusLen int, extractable bool) (*rsa.PublicKey, []byte, error) {
  	keyID := make([]byte, 4)
  	_, err := newRandReader(session).Read(keyID)
  	if err != nil {
  		return nil, nil, err
  	}
  	log.Printf("Generating RSA key with %d bit modulus and public exponent %d and ID %x\n", modulusLen, rsaExp, keyID)
--	args := rsaArgs(label, modulusLen, rsaExp, keyID)
-+	args := rsaArgs(label, modulusLen, rsaExp, keyID, extractable)
+-	args := rsaArgs(label, modulusLen, keyID)
++	args := rsaArgs(label, modulusLen, keyID, extractable)
  	pub, _, err := session.GenerateKeyPair(args.mechanism, args.publicAttrs, args.privateAttrs)
  	if err != nil {
  		return nil, nil, err

patches/config_crl-updater.patch

@@ -1,8 +1,8 @@
 diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json
-index 21f3603bb..77450c65f 100644
+index eb5ba23e0..c4d40af92 100644
 --- a/test/config/crl-updater.json
 +++ b/test/config/crl-updater.json
-@@ -36,19 +36,14 @@
+@@ -36,18 +36,13 @@
  			"hostOverride": "crl-storer.boulder"
  		},
  		"issuerCerts": [
@@ -18,13 +18,11 @@ index 21f3603bb..77450c65f 100644
 -		"shardWidth": "240h",
 -		"lookbackPeriod": "24h",
 -		"updatePeriod": "6h",
--		"updateOffset": "9120s",
 -		"maxParallelism": 10,
 +		"numShards": 1,
 +		"shardWidth": "24h",
 +		"lookbackPeriod": "96h",
 +		"updatePeriod": "24h",
-+		"updateOffset": "5m",
 +		"maxParallelism": 1,
  		"maxAttempts": 5,
  		"features": {}

patches/linter_linter.patch

@@ -1,8 +1,8 @@
 diff --git a/linter/linter.go b/linter/linter.go
-index e9bf33b85..e88cc6b7f 100644
+index 249e5ab91..59cc14b57 100644
 --- a/linter/linter.go
 +++ b/linter/linter.go
-@@ -200,10 +200,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
+@@ -201,10 +201,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
  		SubjectKeyId:                realIssuer.SubjectKeyId,
  		URIs:                        realIssuer.URIs,
  		UnknownExtKeyUsage:          realIssuer.UnknownExtKeyUsage,

patches/ra_ra.patch

@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 82244d216..10d15a624 100644
+index 091a40ab6..a89f1e3e2 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -44,7 +44,6 @@ import (
+@@ -43,7 +43,6 @@ import (
  	"github.com/letsencrypt/boulder/issuance"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index 82244d216..10d15a624 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -582,7 +581,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -593,7 +592,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  		if !core.IsASCII(contact) {
  			return berrors.InvalidEmailError("contact email contains non-ASCII characters")
  		}
@@ -19,7 +19,7 @@ index 82244d216..10d15a624 100644
  		if err != nil {
  			return err
  		}
-@@ -1933,6 +1932,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
+@@ -1906,6 +1905,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
  		return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url)
  	}
  	shardStr := url[lastIndex+1:]

patches/remoteva_main.patch

@@ -1,8 +1,8 @@
 diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
-index 97320f971..6df388e3f 100644
+index 0dc71028f..19962fb35 100644
 --- a/cmd/remoteva/main.go
 +++ b/cmd/remoteva/main.go
-@@ -60,7 +60,8 @@ type Config struct {
+@@ -56,7 +56,8 @@ type Config struct {
  		// For more information, see: https://pkg.go.dev/crypto/tls#ClientAuthType
  		SkipGRPCClientCertVerification bool
  
@@ -12,12 +12,12 @@ index 97320f971..6df388e3f 100644
  	}
  
  	Syslog        cmd.SyslogConfig
-@@ -142,7 +143,8 @@ func main() {
- 		logger,
+@@ -139,7 +140,8 @@ func main() {
  		c.RVA.AccountURIPrefixes,
  		c.RVA.Perspective,
--		c.RVA.RIR)
-+		c.RVA.RIR,
+ 		c.RVA.RIR,
+-		bdns.IsReservedIP)
++		bdns.IsReservedIP,
 +		c.RVA.LabCADomains)
  	cmd.FailOnError(err, "Unable to create Remote-VA server")
  

patches/test_certs_generate.patch

@@ -1,5 +1,5 @@
 diff --git a/test/certs/generate.sh b/test/certs/generate.sh
-index 3f0e03d2c..7a57d0b3d 100755
+index fbcaa9628..d3bd089e9 100755
 --- a/test/certs/generate.sh
 +++ b/test/certs/generate.sh
 @@ -63,9 +63,9 @@ webpki() (
@@ -15,7 +15,7 @@ index 3f0e03d2c..7a57d0b3d 100755
  )
  
  if ! [ -d ipki ]; then
-@@ -73,6 +73,24 @@ if ! [ -d ipki ]; then
+@@ -73,6 +73,29 @@ if ! [ -d ipki ]; then
    ipki
  fi
  
@@ -25,6 +25,11 @@ index 3f0e03d2c..7a57d0b3d 100755
 +  minica -domains "admin.boulder" &
 +  cd -
 +fi
++if ! [ -d ipki/email-exporter.boulder ]; then
++  cd ipki
++  minica -domains "email-exporter.boulder" &
++  cd -
++fi
 +
 +end_date=$(openssl x509 -enddate -noout -in ipki/boulder/cert.pem | cut -d= -f2)
 +end_date_seconds=$(date -d "$end_date" +%s)

patches/test_config_ca.patch

@@ -1,8 +1,8 @@
 diff --git a/test/config/ca.json b/test/config/ca.json
-index a61df7e7c..9fa88c730 100644
+index 675304d97..01b2d56ce 100644
 --- a/test/config/ca.json
 +++ b/test/config/ca.json
-@@ -50,7 +50,8 @@
+@@ -60,7 +60,8 @@
  					"allowMustStaple": true,
  					"maxValidityPeriod": "7776000s",
  					"maxValidityBackdate": "1h5m",
@@ -12,7 +12,7 @@ index a61df7e7c..9fa88c730 100644
  					"ignoredLints": [
  						"w_subject_common_name_included",
  						"w_ext_subject_key_identifier_not_recommended_subscriber"
-@@ -64,7 +65,8 @@
+@@ -74,7 +75,8 @@
  					"omitSKID": true,
  					"maxValidityPeriod": "583200s",
  					"maxValidityBackdate": "1h5m",
@@ -22,7 +22,7 @@ index a61df7e7c..9fa88c730 100644
  					"ignoredLints": [
  						"w_ext_subject_key_identifier_missing_sub_cert"
  					]
-@@ -77,39 +79,7 @@
+@@ -100,39 +102,7 @@
  			"issuers": [
  				{
  					"active": true,
@@ -63,7 +63,7 @@ index a61df7e7c..9fa88c730 100644
  					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
  					"ocspURL": "http://ca.example.org:4002/",
  					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/",
-@@ -118,28 +88,6 @@
+@@ -141,28 +111,6 @@
  						"certFile": "test/certs/webpki/int-rsa-a.cert.pem",
  						"numSessions": 2
  					}

patches/test_startservers.patch

@@ -0,0 +1,15 @@
+diff --git a/test/startservers.py b/test/startservers.py
+index 8c812ea01..c42a1bb51 100644
+--- a/test/startservers.py
++++ b/test/startservers.py
+@@ -90,6 +90,10 @@ SERVICES = (
+         9667, None, None,
+         ('./bin/boulder', 'crl-storer', '--config', os.path.join(config_dir, 'crl-storer.json'), '--addr', ':9309', '--debug-addr', ':9667'),
+         ('s3-test-srv',)),
++    Service('crl-updater',
++        8021, None, None,
++        ('./bin/boulder', 'crl-updater', '--config', os.path.join(config_dir, 'crl-updater.json'), '--debug-addr', ':8021'),
++        ('boulder-ca-1', 'boulder-ca-2', 'boulder-sa-1', 'boulder-sa-2', 'crl-storer')),
+     Service('boulder-ra-1',
+         8002, 9394, 'ra.boulder',
+         ('./bin/boulder', 'boulder-ra', '--config', os.path.join(config_dir, 'ra.json'), '--addr', ':9394', '--debug-addr', ':8002'),

patches/va_http.patch

@@ -1,12 +1,12 @@
 diff --git a/va/http.go b/va/http.go
-index 5eefabcb4..0188d4005 100644
+index 04b119ca2..de9e439a5 100644
 --- a/va/http.go
 +++ b/va/http.go
-@@ -326,7 +326,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri
+@@ -338,7 +338,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (iden
  	}
  
  	if _, err := iana.ExtractSuffix(reqHost); err != nil {
--		return "", 0, berrors.ConnectionFailureError("Invalid hostname in redirect target, must end in IANA registered TLD")
+-		return identifier.ACMEIdentifier{}, 0, berrors.ConnectionFailureError("Invalid host in redirect target, must end in IANA registered TLD")
 +		isLabca := false
 +		for _, domain := range va.labcaDomains {
 +			if strings.HasSuffix(reqHost, "."+domain) {
@@ -15,8 +15,8 @@ index 5eefabcb4..0188d4005 100644
 +		}
 +
 +		if !isLabca {
-+			return "", 0, berrors.ConnectionFailureError("Invalid hostname in redirect target, must end in IANA registered TLD")
++			return identifier.ACMEIdentifier{}, 0, berrors.ConnectionFailureError("Invalid host in redirect target, must end in IANA registered TLD")
 +		}
  	}
  
- 	return reqHost, reqPort, nil
+ 	return identifier.NewDNS(reqHost), reqPort, nil

patches/va_va.patch

@@ -1,27 +1,27 @@
 diff --git a/va/va.go b/va/va.go
-index a1e2cd449..883298092 100644
+index fcd35a5db..ad2b7c409 100644
 --- a/va/va.go
 +++ b/va/va.go
-@@ -215,6 +215,7 @@ type ValidationAuthorityImpl struct {
- 	singleDialTimeout  time.Duration
+@@ -217,6 +217,7 @@ type ValidationAuthorityImpl struct {
  	perspective        string
  	rir                string
+ 	isReservedIPFunc   func(ip net.IP) bool
 +	labcaDomains       []string
  
  	metrics *vaMetrics
  }
-@@ -234,6 +235,7 @@ func NewValidationAuthorityImpl(
- 	accountURIPrefixes []string,
+@@ -237,6 +238,7 @@ func NewValidationAuthorityImpl(
  	perspective string,
  	rir string,
+ 	reservedIPChecker func(ip net.IP) bool,
 +	labcaDomains []string,
  ) (*ValidationAuthorityImpl, error) {
  
  	if len(accountURIPrefixes) == 0 {
-@@ -271,6 +273,7 @@ func NewValidationAuthorityImpl(
- 		singleDialTimeout: 10 * time.Second,
+@@ -274,6 +276,7 @@ func NewValidationAuthorityImpl(
  		perspective:       perspective,
  		rir:               rir,
+ 		isReservedIPFunc:  reservedIPChecker,
 +		labcaDomains:      labcaDomains,
  	}
  

patches/wfe2_main.patch

@@ -1,5 +1,5 @@
 diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
-index 9a44ce54d..460bef8c4 100644
+index 1f33c4746..65b670e96 100644
 --- a/cmd/boulder-wfe2/main.go
 +++ b/cmd/boulder-wfe2/main.go
 @@ -12,6 +12,7 @@ import (
@@ -7,10 +7,10 @@ index 9a44ce54d..460bef8c4 100644
  	"github.com/letsencrypt/boulder/cmd"
  	"github.com/letsencrypt/boulder/config"
 +	"github.com/letsencrypt/boulder/core"
+ 	emailpb "github.com/letsencrypt/boulder/email/proto"
  	"github.com/letsencrypt/boulder/features"
  	"github.com/letsencrypt/boulder/goodkey"
- 	"github.com/letsencrypt/boulder/goodkey/sagoodkey"
-@@ -19,6 +20,7 @@ import (
+@@ -20,6 +21,7 @@ import (
  	"github.com/letsencrypt/boulder/grpc/noncebalancer"
  	"github.com/letsencrypt/boulder/issuance"
  	"github.com/letsencrypt/boulder/nonce"
@@ -18,7 +18,7 @@ index 9a44ce54d..460bef8c4 100644
  	rapb "github.com/letsencrypt/boulder/ra/proto"
  	"github.com/letsencrypt/boulder/ratelimits"
  	bredis "github.com/letsencrypt/boulder/redis"
-@@ -97,7 +99,7 @@ type Config struct {
+@@ -99,7 +101,7 @@ type Config struct {
  		// DirectoryCAAIdentity is used for the /directory response's "meta"
  		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
  		// configuration value (this value is the one used to enforce CAA)
@@ -27,7 +27,7 @@ index 9a44ce54d..460bef8c4 100644
  		// DirectoryWebsite is used for the /directory response's "meta" element's
  		// "website" field.
  		DirectoryWebsite string `validate:"required,url"`
-@@ -180,6 +182,8 @@ type Config struct {
+@@ -175,6 +177,8 @@ type Config struct {
  			// to enable the pausing feature.
  			URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"`
  		}
@@ -36,7 +36,7 @@ index 9a44ce54d..460bef8c4 100644
  	}
  
  	Syslog        cmd.SyslogConfig
-@@ -318,11 +322,22 @@ func main() {
+@@ -315,11 +319,22 @@ func main() {
  	var limiter *ratelimits.Limiter
  	var txnBuilder *ratelimits.TransactionBuilder
  	var limiterRedis *bredis.Ring
@@ -59,7 +59,7 @@ index 9a44ce54d..460bef8c4 100644
  		source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats)
  		limiter, err = ratelimits.NewLimiter(clk, source, stats)
  		cmd.FailOnError(err, "Failed to create rate limiter")
-@@ -362,6 +377,7 @@ func main() {
+@@ -359,6 +374,7 @@ func main() {
  		unpauseSigner,
  		c.WFE.Unpause.JWTLifetime.Duration,
  		c.WFE.Unpause.URL,

patches/wfe2_wfe.patch

@@ -1,8 +1,8 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index a88402313..8a20d72f9 100644
+index fe063e4fa..2f7aea67b 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
-@@ -162,6 +162,8 @@ type WebFrontEndImpl struct {
+@@ -163,6 +163,8 @@ type WebFrontEndImpl struct {
  	// descriptions (perhaps including URLs) of those profiles. NewOrder
  	// Requests with a profile name not present in this map will be rejected.
  	certProfiles map[string]string
@@ -11,7 +11,7 @@ index a88402313..8a20d72f9 100644
  }
  
  // NewWebFrontEndImpl constructs a web service for Boulder
-@@ -187,6 +189,7 @@ func NewWebFrontEndImpl(
+@@ -188,6 +190,7 @@ func NewWebFrontEndImpl(
  	unpauseSigner unpause.JWTSigner,
  	unpauseJWTLifetime time.Duration,
  	unpauseURL string,
@@ -19,7 +19,7 @@ index a88402313..8a20d72f9 100644
  ) (WebFrontEndImpl, error) {
  	if len(issuerCertificates) == 0 {
  		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
-@@ -204,6 +207,10 @@ func NewWebFrontEndImpl(
+@@ -205,6 +208,10 @@ func NewWebFrontEndImpl(
  		return WebFrontEndImpl{}, errors.New("must provide a service for nonce redemption")
  	}
  
@@ -30,7 +30,7 @@ index a88402313..8a20d72f9 100644
  	wfe := WebFrontEndImpl{
  		log:                logger,
  		clk:                clk,
-@@ -226,6 +233,7 @@ func NewWebFrontEndImpl(
+@@ -227,6 +234,7 @@ func NewWebFrontEndImpl(
  		unpauseSigner:      unpauseSigner,
  		unpauseJWTLifetime: unpauseJWTLifetime,
  		unpauseURL:         unpauseURL,
@@ -38,7 +38,34 @@ index a88402313..8a20d72f9 100644
  	}
  
  	return wfe, nil
-@@ -2243,7 +2251,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -617,7 +625,7 @@ func link(url, relation string) string {
+ // contactsToEmails converts a *[]string of contacts (e.g. mailto:
+ // person@example.com) to a []string of valid email addresses. Non-email
+ // contacts or contacts with invalid email addresses are ignored.
+-func contactsToEmails(contacts *[]string) []string {
++func contactsToEmails(contacts *[]string, pa *policy.AuthorityImpl) []string {
+ 	if contacts == nil {
+ 		return nil
+ 	}
+@@ -627,7 +635,7 @@ func contactsToEmails(contacts *[]string) []string {
+ 			continue
+ 		}
+ 		address := strings.TrimPrefix(c, "mailto:")
+-		err := policy.ValidEmail(address)
++		err := pa.ValidEmail(address)
+ 		if err != nil {
+ 			continue
+ 		}
+@@ -851,7 +859,7 @@ func (wfe *WebFrontEndImpl) NewAccount(
+ 	}
+ 	newRegistrationSuccessful = true
+ 
+-	emails := contactsToEmails(accountCreateRequest.Contact)
++	emails := contactsToEmails(accountCreateRequest.Contact, wfe.pa)
+ 	if wfe.ee != nil && len(emails) > 0 {
+ 		_, err := wfe.ee.SendContacts(ctx, &emailpb.SendContactsRequest{
+ 			// Note: We are explicitly using the contacts provided by the
+@@ -2285,7 +2293,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
  	}
  
  	names = core.UniqueLowerNames(names)

utils.sh

@@ -4,7 +4,7 @@ set -e
 
 export PS_LABCA="bin/labca-gui"
 export PS_BOULDER="bin/boulder"
-export PS_BOULDER_COUNT=24
+export PS_BOULDER_COUNT=27
 export PS_MYSQL="mysqld"
 export PS_CONTROL="tcpserver"
 export PS_NGINX="nginx:"