Bump boulder version to release-2024-05-06

2026-01-27 10:19:34 +00:00 · 2024-07-02 19:47:47 +02:00
parent e6e69beb41
commit 4eb3ad877c
16 changed files with 80 additions and 51 deletions
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-04-30"
+boulderTag="release-2024-05-06"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/tmp2.patch
+++ b/build/tmp2.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index e24e9085a..6262eccd0 100644
+index 5d19996ad..e1ccf8f45 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -175,6 +175,9 @@ def setupHierarchyOriginal():
+@@ -183,6 +183,9 @@ def setupHierarchyOriginal():
 
 
 def install(race_detection):
--- a/control_do.sh
+++ b/control_do.sh
@@ -27,9 +27,12 @@ setup_boulder_data() {

    sed -i -e "s|https://boulder.service.consul:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/wfe2.json
-    sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json
-    sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca.json
-    sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca.json
+    sed -i -e "s|http://ca.example.org:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json
+    sed -i -e "s|http://ca.example.org:4501/rsa-a/|http://$LABCA_FQDN/crl/|g" config/ca.json
+    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-a.json
+    sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json
+    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json
+    sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json
    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
    sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -53,6 +53,8 @@ else
 fi


+perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-a.json
+perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/remoteva-b.json
 perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va.json
 perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-a.json
 perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2/igs" config/va-remote-b.json
@@ -61,6 +63,8 @@ perl -i -p0e "s/(\"dnsStaticResolvers\": \[\n).*?(\s+\],)/\1\t\t\t\"$PKI_DNS\"\2
 for fl in $(grep -Rl maxConnectionAge config/); do
    perl -i -p0e "s/(\s+\"maxConnectionAge\":[^\n]+)//igs" $fl
 done
+sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-a.json
+sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/remoteva-b.json
 sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va.json
 sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-a.json
 sed -i -e "s/\"issuerDomain\": \".*\"/\"issuerDomain\": \"$PKI_DOMAIN\"/" config/va-remote-b.json
@@ -131,6 +135,8 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]
    cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s/\(must-staple.le.wtf: 10000\).*\(  registrationOverrides:\)/\1\n$REPLACEMENT\2/" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml
    cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s|\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*\(certificatesPerFQDNSetFast:.*\)|\1\n${REPLACEMENT}rateLimitsURL: http://$PKI_FQDN/rate-limits\n\2|" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml

+    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-a.json
+    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/remoteva-b.json
    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va.json
    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-a.json
    perl -i -p0e "s/(\"labcaDomains\": \[\n).*?(\])/\1$LABCA_DOMAINS\n\t\t\2/igs" config/va-remote-b.json
@@ -156,8 +162,8 @@ rm -f config/ca-a.json
 rm -f config/ca-b.json

 sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca.json
-sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca.json
-sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca.json
+sed -i -e "s|\"ocspURL\": \".*\"|\"ocspURL\": \"http://$PKI_FQDN/ocsp/\"|" config/ca.json
+sed -i -e "s|\"crlURLBase\": \".*\"|\"crlURLBase\": \"http://$PKI_FQDN/crl/\"|" config/ca.json

 if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json
--- a/11
+++ b/11
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-04-30"
+boulderTag="release-2024-05-06"

 # Feature flags
 flag_skip_redis=true
@@ -666,9 +666,12 @@ config_boulder() {
        cd "$boulderLabCADir"
        sed -i -e "s|https://boulder.service.consul:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/wfe2.json
-        sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json
-        sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca.json
-        sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca.json
+        sed -i -e "s|http://ca.example.org:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json
+        sed -i -e "s|http://ca.example.org:4501/rsa-a/|http://$LABCA_FQDN/crl/|g" config/ca.json
+        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-a.json
+        sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-a.json
+        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/remoteva-b.json
+        sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/remoteva-b.json
        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
        sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -30,8 +30,12 @@ $SUDO patch -p1 -o "$boulderLabCADir/config/akamai-purger.json" < $cloneDir/patc

 cp test/config/va*.json "$boulderLabCADir/config/"
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va.json
+perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-a.json
+perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/remoteva-b.json
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-a.json
 perl -i -p0e "s/\"dnsProvider\": \{.*?\t\t},/\"dnsStaticResolvers\": [\n\t\t\t\"127.0.0.1:8053\",\n\t\t\t\"127.0.0.1:8054\"\n\t\t],/igs" $boulderLabCADir/config/va-remote-b.json
+perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-a.json
+perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-b.json
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-a.json
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va-remote-b.json
@@ -63,20 +67,18 @@ sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" config/publisher
 sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" config/wfe2.json
 sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" integration-test.py
 sed -i -e "s|/hierarchy/root-rsa.cert.pem|labca/test-root.pem|" helpers.py
-sed -i -e "s/5001/443/g" config/va.json
-sed -i -e "s/5002/80/g" config/va.json
-sed -i -e "s/5001/443/g" config/va-remote-a.json
-sed -i -e "s/5002/80/g" config/va-remote-a.json
-sed -i -e "s/5001/443/g" config/va-remote-b.json
-sed -i -e "s/5002/80/g" config/va-remote-b.json
 sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json
 sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json
 sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
+sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-a.json
+sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-b.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca.json
+sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-a.json
+sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/remoteva-b.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json

--- a/patch.sh
+++ b/patch.sh
@@ -46,6 +46,7 @@ $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch
 $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimit_rate-limits.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
+$SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch
 $SUDO patch -p1 < $cloneDir/patches/startservers.patch
 if [ "$SUDO" == "" ]; then
    # TODO: should include this into startservers.patch
--- a/patches/boulder-va_main.patch
+++ b/patches/boulder-va_main.patch
@@ -1,16 +1,16 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index 0bef1d4f1..ec03f44e7 100644
+index 032435fac..d3961512b 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -41,6 +41,7 @@ type Config struct {
- 		Features features.Config
- 
- 		AccountURIPrefixes []string `validate:"min=1,dive,required,url"`
-+		LabCADomains       []string
+@@ -21,6 +21,7 @@ type Config struct {
+ 		RemoteVAs                   []cmd.GRPCClientConfig `validate:"omitempty,dive"`
+ 		MaxRemoteValidationFailures int                    `validate:"omitempty,min=0,required_with=RemoteVAs"`
+ 		Features                    features.Config
+		LabCADomains                []string
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -150,7 +151,8 @@ func main() {
+@@ -115,7 +116,8 @@ func main() {
 		scope,
 		clk,
 		logger,
--- a/patches/ca_crl.patch
+++ b/patches/ca_crl.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 23d8d3ab1..bc28fc618 100644
+index 35bf4c07d..36316235e 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
-@@ -134,8 +134,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
+@@ -122,8 +122,10 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
 				builder = strings.Builder{}
 			}
 		}
--- a/patches/cmd_config.patch
+++ b/patches/cmd_config.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/config.go b/cmd/config.go
-index d38291d5..13fe4a52 100644
+index 1a3edabff..09369bf88 100644
 --- a/cmd/config.go
 +++ b/cmd/config.go
-@@ -454,7 +454,7 @@ type GRPCServerConfig struct {
+@@ -455,7 +455,7 @@ type GRPCServerConfig struct {
 	// this controls how long it takes before a client learns about changes to its
 	// backends.
 	// https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters
--- a/patches/issuance_crl.patch
+++ b/patches/issuance_crl.patch
@@ -1,13 +0,0 @@
-diff --git a/issuance/crl.go b/issuance/crl.go
-index 9f9619ff1..f0a180a6f 100644
--- a/issuance/crl.go
-+++ b/issuance/crl.go
-@@ -91,7 +91,7 @@ func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error) {
- 	if req.DeprecatedIDPBaseURL != "" {
- 		// TODO(#7296): Remove this fallback once CCADB and all non-expired certs
- 		// contain the new-style CRLDP URL instead.
-		idps = append(idps, fmt.Sprintf("%s/%d/%d.crl", req.DeprecatedIDPBaseURL, i.NameID(), req.Shard))
-+		idps = append(idps, fmt.Sprintf("%s/%d.crl", req.DeprecatedIDPBaseURL, i.NameID()))
- 	}
- 	idp, err := idp.MakeUserCertsExt(idps)
- 	if err != nil {
--- a/patches/ratelimits_names.patch
+++ b/patches/ratelimits_names.patch
@@ -1,8 +1,8 @@
 diff --git a/ratelimits/names.go b/ratelimits/names.go
-index c92970498..f4d6c282b 100644
+index 0037363b0..c2ddc6076 100644
 --- a/ratelimits/names.go
 +++ b/ratelimits/names.go
-@@ -148,7 +148,11 @@ func validateRegId(id string) error {
+@@ -150,7 +150,11 @@ func validateRegId(id string) error {
 // validateDomain validates that the provided string is formatted 'domain',
 // where domain is a domain name.
 func validateDomain(id string) error {
@@ -15,7 +15,7 @@ index c92970498..f4d6c282b 100644
 	if err != nil {
 		return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err)
 	}
-@@ -169,7 +173,11 @@ func validateRegIdDomain(id string) error {
+@@ -171,7 +175,11 @@ func validateRegIdDomain(id string) error {
 		return fmt.Errorf(
 			"invalid regId, %q must be formatted 'regId:domain'", id)
 	}
@@ -28,7 +28,7 @@ index c92970498..f4d6c282b 100644
 	if err != nil {
 		return fmt.Errorf(
 			"invalid domain, %q must be formatted 'regId:domain': %w", id, err)
-@@ -185,8 +193,12 @@ func validateFQDNSet(id string) error {
+@@ -187,8 +195,12 @@ func validateFQDNSet(id string) error {
 		return fmt.Errorf(
 			"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
 	}
--- a/patches/remoteva_main.patch
+++ b/patches/remoteva_main.patch
@@ -0,0 +1,24 @@
+diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
+index e83642477..6efab1ca3 100644
+--- a/cmd/remoteva/main.go
+++ b/cmd/remoteva/main.go
+@@ -18,7 +18,8 @@ import (
+ type Config struct {
+ 	RVA struct {
+ 		vaConfig.Common
+-		Features features.Config
+		Features     features.Config
+		LabCADomains []string
+ 	}
+ 
+ 	Syslog        cmd.SyslogConfig
+@@ -95,7 +96,8 @@ func main() {
+ 		scope,
+ 		clk,
+ 		logger,
+-		c.RVA.AccountURIPrefixes)
+		c.RVA.AccountURIPrefixes,
+		c.RVA.LabCADomains)
+ 	cmd.FailOnError(err, "Unable to create Remote-VA server")
+ 
+ 	start, err := bgrpc.NewServer(c.RVA.GRPC, logger).Add(
--- a/patches/startservers.patch
+++ b/patches/startservers.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index 022e08949..e24e9085a 100644
+index fcfdc9423..5d19996ad 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -161,6 +161,9 @@ processes = []
+@@ -169,6 +169,9 @@ processes = []
 challSrvProcess = None
 
 def setupHierarchy():
--- a/patches/test_config_ca.patch
+++ b/patches/test_config_ca.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/ca.json b/test/config/ca.json
 index 53ae91f2d..1937e5580 100644
 --- a/test/config/ca.json
 +++ b/test/config/ca.json
-@@ -59,35 +59,13 @@
+@@ -59,38 +59,14 @@
 			},
 			"issuers": [
 				{
@@ -10,6 +10,7 @@ index 53ae91f2d..1937e5580 100644
 -					"useForECDSALeaves": true,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
 -					"ocspURL": "http://ca.example.org:4002/",
+-					"crlURLBase": "http://ca.example.org:4501/ecdsa-a/",
 -					"location": {
 -						"configFile": "/hierarchy/int-ecdsa-a.pkcs11.json",
 -						"certFile": "/hierarchy/int-ecdsa-a.cert.pem",
@@ -21,6 +22,7 @@ index 53ae91f2d..1937e5580 100644
 					"useForECDSALeaves": true,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
 					"ocspURL": "http://ca.example.org:4002/",
+ 					"crlURLBase": "http://ca.example.org:4501/rsa-a/",
 					"location": {
 -						"configFile": "/hierarchy/int-rsa-a.pkcs11.json",
 -						"certFile": "/hierarchy/int-rsa-a.cert.pem",
@@ -32,6 +34,7 @@ index 53ae91f2d..1937e5580 100644
 -					"useForECDSALeaves": false,
 -					"issuerURL": "http://ca.example.org:4502/int-rsa-b",
 -					"ocspURL": "http://ca.example.org:4003/",
+-					"crlURLBase": "http://ca.example.org:4501/rsa-b/",
 -					"location": {
 -						"configFile": "/hierarchy/int-rsa-b.pkcs11.json",
 -						"certFile": "/hierarchy/int-rsa-b.cert.pem",
--- a/patches/va_http.patch
+++ b/patches/va_http.patch
@@ -1,8 +1,8 @@
 diff --git a/va/http.go b/va/http.go
-index 78df8bf42..db281855c 100644
+index 5eefabcb4..0188d4005 100644
 --- a/va/http.go
 +++ b/va/http.go
-@@ -332,7 +332,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri
+@@ -326,7 +326,16 @@ func (va *ValidationAuthorityImpl) extractRequestTarget(req *http.Request) (stri
 	}
 
 	if _, err := iana.ExtractSuffix(reqHost); err != nil {