Bump boulder version to v0.20251110.0

2026-01-27 10:19:34 +00:00 · 2025-11-14 15:09:09 +01:00
parent e808b18d2a
commit 78b63c2b9b
20 changed files with 180 additions and 157 deletions
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="v0.20251021.0"
+boulderTag="v0.20251110.0"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/docker-compose.yml
+++ b/build/docker-compose.yml
@@ -94,7 +94,7 @@ services:
      bash -c "sleep 20 && mysql_upgrade -h bmysql"

  bredis:
-    image: redis:6.2.7
+    image: redis:7.0.15
    volumes:
      - ./test/:/test/:cached
      - boulder_data:/opt/boulder/labca
@@ -106,7 +106,7 @@ services:
    restart: always

  bconsul:
-    image: hashicorp/consul:1.15.4
+    image: hashicorp/consul:1.19.2
    depends_on:
      - control
    volumes:
--- a/build/tag_and_upload.sh
+++ b/build/tag_and_upload.sh
@@ -29,8 +29,13 @@ die() {
 [ -f "tmp/labca-gui" ] || die "LabCA binary does not exist!"
 docker build -f Dockerfile-gui -t $LABCA_GUI_TAG .

+field=3
+if [ $(docker images | grep "DISK USAGE" | wc -l) != "0" ]; then
+    field=2
+fi
+
 if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
-    ID="$(docker images | grep "${REPO_BASE}-gui" | grep -v latest | head -n 1 | awk '{print $3}')"
+    ID="$(docker images | grep "${REPO_BASE}-gui" | grep -v latest | head -n 1 | awk -v f="$field" '{print $f}')"
    docker tag "$ID" $LABCA_GUI_LATEST
 fi

@@ -39,14 +44,14 @@ cnt=$(ls -1 tmp/bin | wc -l)
 docker build -f Dockerfile-boulder -t $LABCA_BOULDER_TAG .

 if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
-    ID="$(docker images | grep "${REPO_BASE}-boulder" | grep -v latest | head -n 1 | awk '{print $3}')"
+    ID="$(docker images | grep "${REPO_BASE}-boulder" | grep -v latest | head -n 1 | awk -v f="$field" '{print $f}')"
    docker tag "$ID" $LABCA_BOULDER_LATEST
 fi

 docker build -f Dockerfile-control -t $LABCA_CONTROL_TAG .

 if [ "$BRANCH" == "master" ] || [ "$BRANCH" == "main" ]; then
-    ID="$(docker images | grep "${REPO_BASE}-control" | grep -v latest | head -n 1 | awk '{print $3}')"
+    ID="$(docker images | grep "${REPO_BASE}-control" | grep -v latest | head -n 1 | awk -v f="$field" '{print $f}')"
    docker tag "$ID" $LABCA_CONTROL_LATEST
 fi

--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -50,7 +50,7 @@ index c0c7fc838..fd9a67f35 100644
 +      bash -c "sleep 20 && mysql_upgrade -h bmysql"
 +
   bredis:
-     image: redis:6.2.7
+     image: redis:7.0.15
     volumes:
       - ./test/:/test/:cached
 -      - /home/labca/boulder_labca:/opt/boulder/labca
--- a/9
+++ b/9
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="v0.20251021.0"
+boulderTag="v0.20251110.0"

 #
 # Color configuration
@@ -871,7 +871,9 @@ main() {
    local curdir="$PWD"

    echo
-    check_dockeronly
+    if [[ "$0" == *" -t"* ]]; then
+        check_dockeronly
+    fi

    start_temporary_log
    check_root
@@ -913,7 +915,8 @@ main() {
        msg_info "$msg"
        build/tag_and_upload.sh &>>$installLog || msg_fatal "Could not tag (and upload) docker images!"
        msg_ok "$msg"
-        msg_ok "That's it for now!"
+        sed -i -e "s|ghcr.io/hakwerk/|hakwerk/|" build/docker-compose.yml &>>$installLog
+        msg_ok "That's it for now! - don't forget to 'export LABCA_FQDN=$(hostname -f)'"
        exit 0
    fi

--- a/patches/bdns_dns.patch
+++ b/patches/bdns_dns.patch
@@ -1,16 +1,16 @@
 diff --git a/bdns/dns.go b/bdns/dns.go
-index 5d297f3ef..9eabf1239 100644
+index 5fee207b8..f147da8e9 100644
 --- a/bdns/dns.go
 +++ b/bdns/dns.go
-@@ -21,6 +21,7 @@ import (
- 	"github.com/miekg/dns"
+@@ -20,6 +20,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
+ 	"github.com/prometheus/client_golang/prometheus/promauto"
 
 +	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/iana"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
-@@ -77,22 +78,30 @@ func New(
+@@ -75,22 +76,30 @@ func New(
 ) Client {
 	var client exchanger
 
@@ -56,20 +56,20 @@ index 5d297f3ef..9eabf1239 100644
 +		}
 	}
 
- 	queryTime := prometheus.NewHistogramVec(
-@@ -273,10 +282,17 @@ func (dnsClient *impl) exchangeOne(ctx context.Context, hostname string, qtype u
+ 	queryTime := promauto.With(stats).NewHistogramVec(
+@@ -260,10 +269,17 @@ func (dnsClient *impl) exchangeOne(ctx context.Context, hostname string, qtype u
 		case r := <-ch:
 			if r.err != nil {
 				var isRetryable bool
-				// According to the http package documentation, retryable
-				// errors emitted by the http package are of type *url.Error.
-				var urlErr *url.Error
-				isRetryable = errors.As(r.err, &urlErr) && urlErr.Temporary()
+-				// Check if the error is a timeout error. Network errors
+-				// that can timeout implement the net.Error interface.
+-				var netErr net.Error
+-				isRetryable = errors.As(r.err, &netErr) && netErr.Timeout()
 +				if features.Get().DOH {
-+					// According to the http package documentation, retryable
-+					// errors emitted by the http package are of type *url.Error.
-+					var urlErr *url.Error
-+					isRetryable = errors.As(r.err, &urlErr) && urlErr.Temporary()
+					// Check if the error is a timeout error. Network errors
+					// that can timeout implement the net.Error interface.
+					var netErr net.Error
+					isRetryable = errors.As(r.err, &netErr) && netErr.Timeout()
 +				} else {
 +					// According to the net package documentation, retryable
 +					// errors emitted by the net package are of type *net.OpError.
--- a/patches/boulder-ra_main.patch
+++ b/patches/boulder-ra_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
-index dd30f78cd..a3b6c2e88 100644
+index 7d8b73dde..f37e1581e 100644
 --- a/cmd/boulder-ra/main.go
 +++ b/cmd/boulder-ra/main.go
-@@ -268,6 +268,8 @@ func main() {
+@@ -261,6 +261,8 @@ func main() {
 		limiterRedis, err = bredis.NewRingFromConfig(*c.RA.Limiter.Redis, scope, logger)
 		cmd.FailOnError(err, "Failed to create Redis ring")
 
--- a/patches/boulder-va_main.patch
+++ b/patches/boulder-va_main.patch
@@ -1,16 +1,16 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index dd3fe9b39..5f6325f51 100644
+index fecf2ed7f..aa4d3320a 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -54,6 +54,7 @@ type Config struct {
- 		// Deprecated and ignored
- 		MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"`
- 		Features                    features.Config
-+		LabCADomains                []string
+@@ -58,6 +58,7 @@ type Config struct {
+ 		// Leaving this value zero means the VA won't early-cancel slow remotes.
+ 		SlowRemoteTimeout config.Duration
+ 		Features          features.Config
+		LabCADomains      []string
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -83,12 +84,16 @@ func main() {
+@@ -87,12 +88,16 @@ func main() {
 	clk := clock.New()
 
 	var servers bdns.ServerProvider
@@ -28,13 +28,11 @@ index dd3fe9b39..5f6325f51 100644
 		cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
 	}
 	defer servers.Stop()
-@@ -149,7 +154,8 @@ func main() {
- 		c.VA.AccountURIPrefixes,
+@@ -154,6 +159,7 @@ func main() {
 		va.PrimaryPerspective,
 		"",
-		iana.IsReservedAddr)
-+		iana.IsReservedAddr,
-+		c.VA.LabCADomains)
+ 		iana.IsReservedAddr,
+		c.VA.LabCADomains,
+ 		c.VA.SlowRemoteTimeout.Duration,
+ 	)
 	cmd.FailOnError(err, "Unable to create VA server")
- 
- 	start, err := bgrpc.NewServer(c.VA.GRPC, logger).Add(
--- a/patches/ca_ca.patch
+++ b/patches/ca_ca.patch
@@ -1,17 +1,13 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index 3b33991eb..b63f6a143 100644
+index a5890452f..3a62648c3 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -164,10 +164,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -192,7 +192,7 @@ func NewCertificateAuthorityImpl(
+ 
+ 	for _, keyAlg := range []x509.PublicKeyAlgorithm{x509.ECDSA, x509.RSA} {
+ 		if !issuableKeys[keyAlg] {
+-			return nil, fmt.Errorf("no %s issuers configured", keyAlg)
+			fmt.Printf("WARNING: no %s issuers configured\n", keyAlg)
 		}
 	}
- 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
-		return issuerMaps{}, errors.New("no ECDSA issuers configured")
-+		fmt.Println("WARNING: no ECDSA issuers configured")
- 	}
- 	if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 {
-		return issuerMaps{}, errors.New("no RSA issuers configured")
-+		fmt.Println("WARNING: no RSA issuers configured")
- 	}
- 	return issuerMaps{issuersByAlg, issuersByNameID}, nil
- }
+ 
--- a/patches/ca_ca_keytype_hack.patch
+++ b/patches/ca_ca_keytype_hack.patch
@@ -1,21 +1,36 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index b63f6a143..2ab73db94 100644
+index 3a62648c3..2cb8337ca 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -164,10 +164,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -190,11 +190,12 @@ func NewCertificateAuthorityImpl(
 		}
 	}
- 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
-		fmt.Println("WARNING: no ECDSA issuers configured")
+ 
+-	for _, keyAlg := range []x509.PublicKeyAlgorithm{x509.ECDSA, x509.RSA} {
+-		if !issuableKeys[keyAlg] {
+-			fmt.Printf("WARNING: no %s issuers configured\n", keyAlg)
+-		}
+-	}
+	// TODO: LabCA hack!
+	//for _, keyAlg := range []x509.PublicKeyAlgorithm{x509.ECDSA, x509.RSA} {
+	//	if !issuableKeys[keyAlg] {
+	//		fmt.Printf("WARNING: no %s issuers configured\n", keyAlg)
+	//	}
+	//}
+ 
+ 	return &certificateAuthorityImpl{
+ 		sa:        sa,
+@@ -474,9 +475,10 @@ func (ca *certificateAuthorityImpl) pickIssuer(profileName string, keyAlg x509.P
+ 		if !issuer.IsActive() {
+ 			continue
+ 		}
+-		if issuer.KeyType() != keyAlg {
+-			continue
+-		}
 +		// TODO: LabCA hack!
-+		issuersByAlg[x509.ECDSA] = issuersByAlg[x509.RSA]
-+		// fmt.Println("WARNING: no ECDSA issuers configured")
- 	}
- 	if i, ok := issuersByAlg[x509.RSA]; !ok || len(i) == 0 {
-		fmt.Println("WARNING: no RSA issuers configured")
-+		// TODO: LabCA hack!
-+		issuersByAlg[x509.RSA] = issuersByAlg[x509.ECDSA]
-+		// fmt.Println("WARNING: no RSA issuers configured")
- 	}
- 	return issuerMaps{issuersByAlg, issuersByNameID}, nil
- }
+		//if issuer.KeyType() != keyAlg {
+		//	continue
+		//}
+ 		if !slices.Contains(issuer.Profiles(), profileName) {
+ 			continue
+ 		}
--- a/patches/ca_crl.patch
+++ b/patches/ca_crl.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 5937046fe..15c144984 100644
+index 513b9deae..f59b1820c 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
-@@ -132,8 +132,10 @@ func (ci *crlImpl) GenerateCRL(stream grpc.BidiStreamingServer[capb.GenerateCRLR
+@@ -137,8 +137,10 @@ func (ci *crlImpl) GenerateCRL(stream grpc.BidiStreamingServer[capb.GenerateCRLR
 				builder = strings.Builder{}
 			}
 		}
--- a/patches/config_crl-updater.patch
+++ b/patches/config_crl-updater.patch
@@ -1,8 +1,8 @@
 diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json
-index adb2b01e5..6066b7e5e 100644
+index 5c9e12413..5cc6d4716 100644
 --- a/test/config/crl-updater.json
 +++ b/test/config/crl-updater.json
-@@ -36,24 +36,19 @@
+@@ -36,18 +36,13 @@
 			"hostOverride": "crl-storer.boulder"
 		},
 		"issuerCerts": [
@@ -26,11 +26,4 @@ index adb2b01e5..6066b7e5e 100644
 +		"updateTimeout": "2m",
 		"expiresMargin": "5m",
 		"cacheControl": "stale-if-error=60",
- 		"temporallyShardedSerialPrefixes": [
- 			"7f"
- 		],
-		"maxParallelism": 10,
-+		"maxParallelism": 1,
- 		"maxAttempts": 2,
- 		"features": {}
- 	},
+ 		"maxParallelism": 10,
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 2e2ff2746..c0c7fc838 100644
+index 39802cd8b..58bb84501 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -1,3 +1,4 @@
@@ -81,9 +81,14 @@ index 2e2ff2746..c0c7fc838 100644
 +    command: mysqld --bind-address=0.0.0.0 --log-output=TABLE
     logging:
 -      driver: none
-
+      driver: "json-file"
+      options:
+        max-size: "500k"
+        max-file: "5"
+    restart: always
+ 
 -  bproxysql:
-    image: proxysql/proxysql:2.5.4
+-    image: proxysql/proxysql:2.7.2
 -    # The --initial flag force resets the ProxySQL database on startup. By
 -    # default, ProxySQL ignores new configuration if the database already
 -    # exists. Without this flag, new configuration wouldn't be applied until you
@@ -97,15 +102,10 @@ index 2e2ff2746..c0c7fc838 100644
 -      bouldernet:
 -        aliases:
 -          - boulder-proxysql
-+      driver: "json-file"
-+      options:
-+        max-size: "500k"
-+        max-file: "5"
-+    restart: always
- 
+-
 -  bredis_1:
 +  bredis:
-     image: redis:6.2.7
+     image: redis:7.0.15
     volumes:
       - ./test/:/test/:cached
 -    command: redis-server /test/redis-ratelimits.config
@@ -114,36 +114,31 @@ index 2e2ff2746..c0c7fc838 100644
     networks:
       bouldernet:
         ipv4_address: 10.77.77.4
-
-  bredis_2:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-ratelimits.config
-    networks:
-      bouldernet:
-        ipv4_address: 10.77.77.5
 +    restart: always
 
-   bconsul:
-     image: hashicorp/consul:1.15.4
+-  bredis_2:
+-    image: redis:7.0.15
+  bconsul:
+    image: hashicorp/consul:1.19.2
 +    depends_on:
 +      - control
     volumes:
-     - ./test/:/test/:cached
+-      - ./test/:/test/:cached
+-    command: redis-server /test/redis-ratelimits.config
 +      - /home/labca/boulder_labca:/opt/boulder/labca
     networks:
       bouldernet:
-         ipv4_address: 10.77.77.10
-    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
+-        ipv4_address: 10.77.77.5
+        ipv4_address: 10.77.77.10
 +    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
 +    restart: always
 
-  bjaeger:
-    image: jaegertracing/all-in-one:1.50
+-  bconsul:
+-    image: hashicorp/consul:1.19.1
 +  gui:
 +    image: *boulder_tools_image
-+    volumes:
+     volumes:
+-     - ./test/:/test/:cached
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin:/go/src/labca
 +      - ./.gocache:/root/.cache/go-build
@@ -153,7 +148,10 @@ index 2e2ff2746..c0c7fc838 100644
 +      - /home/labca/boulder_labca:/opt/boulder/labca
 +      - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/
     networks:
-       - bouldernet
+-      bouldernet:
+-        ipv4_address: 10.77.77.10
+-    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
+      - bouldernet
 +    expose:
 +      - 3000
 +    depends_on:
@@ -182,11 +180,13 @@ index 2e2ff2746..c0c7fc838 100644
 +      - /home/labca/nginx_data/static:/var/www/html
 +    depends_on:
 +      - control
-+
+ 
+-  bjaeger:
+-    image: jaegertracing/all-in-one:1.50
 +  control:
 +    image: *boulder_tools_image
-+    networks:
-+      - bouldernet
+     networks:
+       - bouldernet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin/data:/opt/labca/data
--- a/patches/issuance_issuer.patch
+++ b/patches/issuance_issuer.patch
@@ -1,8 +1,8 @@
 diff --git a/issuance/issuer.go b/issuance/issuer.go
-index 1c8b7ed1f..c21910db2 100644
+index 8479470ba..33672c905 100644
 --- a/issuance/issuer.go
 +++ b/issuance/issuer.go
-@@ -128,8 +128,8 @@ func LoadChain(certFiles []string) ([]*Certificate, error) {
+@@ -129,8 +129,8 @@ func LoadChain(certFiles []string) ([]*Certificate, error) {
 	lastCert := certs[len(certs)-1]
 	err = lastCert.CheckSignatureFrom(lastCert.Certificate)
 	if err != nil {
@@ -13,16 +13,16 @@ index 1c8b7ed1f..c21910db2 100644
 			lastCert.Subject, certFiles[len(certFiles)-1], err)
 	}
 
-@@ -154,7 +154,7 @@ type IssuerConfig struct {
- 	Profiles []string `validate:"omitempty,dive,alphanum,min=1,max=32"`
+@@ -156,7 +156,7 @@ type IssuerConfig struct {
+ 	Profiles []string `validate:"required_if=Active true,dive,alphanum,min=1,max=32"`
 
 	IssuerURL  string `validate:"required,url"`
 -	CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"`
 +	CRLURLBase string `validate:"required,url,startswith=http://"`
 
- 	// TODO(#8177): Remove this.
- 	OCSPURL string `validate:"omitempty,url"`
-@@ -239,9 +239,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
+ 	// Number of CRL shards. Must be positive, but can be 1 for no sharding.
+ 	CRLShards int `validate:"required,min=1"`
+@@ -242,9 +242,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
 	if !strings.HasPrefix(config.CRLURLBase, "http://") {
 		return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase)
 	}
@@ -30,5 +30,5 @@ index 1c8b7ed1f..c21910db2 100644
 -		return nil, fmt.Errorf("crlURLBase must end with exactly one forward slash, got %q", config.CRLURLBase)
 -	}
 	if config.CRLShards <= 0 {
- 		return nil, errors.New("Number of CRL shards is required")
+ 		return nil, errors.New("number of CRL shards is required")
 	}
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 54e51cce5..af96bb245 100644
+index cd8c599fb..32d94f68c 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
@@ -41,7 +41,6 @@ import (
@@ -10,7 +10,7 @@ index 54e51cce5..af96bb245 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -567,7 +566,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -566,7 +565,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 		if !core.IsASCII(contact) {
 			return berrors.InvalidEmailError("contact email contains non-ASCII characters")
 		}
@@ -19,7 +19,7 @@ index 54e51cce5..af96bb245 100644
 		if err != nil {
 			return err
 		}
-@@ -1850,6 +1849,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
+@@ -1847,6 +1846,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
 		return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url)
 	}
 	shardStr := url[lastIndex+1:]
--- a/patches/remoteva_main.patch
+++ b/patches/remoteva_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
-index d049ba126..16fdca8a4 100644
+index 43b68d621..1c950cff6 100644
 --- a/cmd/remoteva/main.go
 +++ b/cmd/remoteva/main.go
@@ -59,7 +59,8 @@ type Config struct {
@@ -30,13 +30,11 @@ index d049ba126..16fdca8a4 100644
 		cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
 	}
 	defer servers.Stop()
-@@ -140,7 +145,8 @@ func main() {
- 		c.RVA.AccountURIPrefixes,
+@@ -141,6 +146,7 @@ func main() {
 		c.RVA.Perspective,
 		c.RVA.RIR,
-		iana.IsReservedAddr)
-+		iana.IsReservedAddr,
-+		c.RVA.LabCADomains)
+ 		iana.IsReservedAddr,
+		c.RVA.LabCADomains,
+ 		0,
+ 	)
 	cmd.FailOnError(err, "Unable to create Remote-VA server")
- 
- 	start, err := bgrpc.NewServer(c.RVA.GRPC, logger).Add(
--- a/patches/test_config_ca.patch
+++ b/patches/test_config_ca.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/ca.json b/test/config/ca.json
-index 477f82b12..9512d98b0 100644
+index 59a1f348c..58f51f5e7 100644
 --- a/test/config/ca.json
 +++ b/test/config/ca.json
@@ -1,11 +1,11 @@
@@ -18,28 +18,26 @@ index 477f82b12..9512d98b0 100644
 		"grpcCA": {
 			"maxConnectionAge": "30s",
 			"address": ":9093",
-@@ -59,7 +59,8 @@
- 					"includeCRLDistributionPoints": true,
+@@ -56,7 +56,7 @@
+ 					"omitSKID": false,
 					"maxValidityPeriod": "7776000s",
 					"maxValidityBackdate": "1h5m",
 -					"lintConfig": "test/config-next/zlint.toml",
-+					"includeCRLDistributionPoints": true,
 +					"lintConfig": "labca/config/zlint.toml",
 					"ignoredLints": [
 						"w_subject_common_name_included",
 						"e_dnsname_not_valid_tld",
-@@ -76,7 +77,8 @@
- 					"includeCRLDistributionPoints": true,
+@@ -70,7 +70,7 @@
+ 					"omitSKID": true,
 					"maxValidityPeriod": "160h",
 					"maxValidityBackdate": "1h5m",
 -					"lintConfig": "test/config-next/zlint.toml",
-+					"includeCRLDistributionPoints": true,
 +					"lintConfig": "labca/config/zlint.toml",
 					"ignoredLints": [
 						"w_ext_subject_key_identifier_missing_sub_cert",
 						"e_dnsname_not_valid_tld"
-@@ -92,7 +94,7 @@
- 					"includeCRLDistributionPoints": true,
+@@ -83,7 +83,7 @@
+ 					"omitSKID": true,
 					"maxValidityPeriod": "583200s",
 					"maxValidityBackdate": "1h5m",
 -					"lintConfig": "test/config-next/zlint.toml",
@@ -47,7 +45,7 @@ index 477f82b12..9512d98b0 100644
 					"ignoredLints": [
 						"w_ext_subject_key_identifier_missing_sub_cert",
 						"e_dnsname_not_valid_tld"
-@@ -102,72 +104,17 @@
+@@ -93,23 +93,9 @@
 			"crlProfile": {
 				"validityInterval": "216h",
 				"maxBackdate": "1h5m",
@@ -55,8 +53,11 @@ index 477f82b12..9512d98b0 100644
 +				"lintConfig": "labca/config/zlint.toml"
 			},
 			"issuers": [
- 				{
- 					"active": true,
+-				{
+-					"active": true,
+-					"profiles": [
+-						"legacy"
+-					],
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/",
@@ -66,8 +67,13 @@ index 477f82b12..9512d98b0 100644
 -						"numSessions": 2
 -					}
 -				},
-				{
-					"active": true,
+ 				{
+ 					"active": true,
+ 					"profiles": [
+@@ -117,64 +103,12 @@
+ 						"modern",
+ 						"shortlived"
+ 					],
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-b",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/17302365692836921/",
@@ -90,6 +96,9 @@ index 477f82b12..9512d98b0 100644
 -				},
 -				{
 -					"active": true,
+-					"profiles": [
+-						"legacy"
+-					],
 -					"crlShards": 10,
 +					"crlShards": 1,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
@@ -102,6 +111,11 @@ index 477f82b12..9512d98b0 100644
 -				},
 -				{
 -					"active": true,
+-					"profiles": [
+-						"legacy",
+-						"modern",
+-						"shortlived"
+-					],
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-rsa-b",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/6762885421992935/",
@@ -124,16 +138,16 @@ index 477f82b12..9512d98b0 100644
 						"numSessions": 2
 					}
 				}
-@@ -179,7 +126,7 @@
+@@ -184,7 +118,7 @@
+ 		"maxNames": 100,
 		"goodkey": {},
 		"ocspLogMaxLength": 4000,
- 		"ocspLogPeriod": "500ms",
 -		"ctLogListFile": "test/ct-test-srv/log_list.json",
 +		"ctLogListFile": "labca/ct-test-srv/log_list.json",
 		"features": {}
 	},
 	"pa": {
-@@ -194,7 +141,7 @@
+@@ -199,7 +133,7 @@
 		}
 	},
 	"syslog": {
--- a/patches/va_va.patch
+++ b/patches/va_va.patch
@@ -1,8 +1,8 @@
 diff --git a/va/va.go b/va/va.go
-index 4993aec36..161cbacda 100644
+index 55211e27b..20c5f0a94 100644
 --- a/va/va.go
 +++ b/va/va.go
-@@ -219,6 +219,7 @@ type ValidationAuthorityImpl struct {
+@@ -220,6 +220,7 @@ type ValidationAuthorityImpl struct {
 	perspective        string
 	rir                string
 	isReservedIPFunc   func(netip.Addr) error
@@ -10,15 +10,15 @@ index 4993aec36..161cbacda 100644
 
 	metrics *vaMetrics
 }
-@@ -239,6 +240,7 @@ func NewValidationAuthorityImpl(
+@@ -240,6 +241,7 @@ func NewValidationAuthorityImpl(
 	perspective string,
 	rir string,
 	reservedIPChecker func(netip.Addr) error,
 +	labcaDomains []string,
+ 	slowRemoteTimeout time.Duration,
 ) (*ValidationAuthorityImpl, error) {
 
- 	if len(accountURIPrefixes) == 0 {
-@@ -276,6 +278,7 @@ func NewValidationAuthorityImpl(
+@@ -278,6 +280,7 @@ func NewValidationAuthorityImpl(
 		perspective:       perspective,
 		rir:               rir,
 		isReservedIPFunc:  reservedIPChecker,
--- a/patches/wfe2_main.patch
+++ b/patches/wfe2_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
-index cc5930699..8e1a14c3c 100644
+index a7a10ca26..4241ad106 100644
 --- a/cmd/boulder-wfe2/main.go
 +++ b/cmd/boulder-wfe2/main.go
@@ -14,14 +14,17 @@ import (
@@ -29,7 +29,7 @@ index cc5930699..8e1a14c3c 100644
 		// DirectoryWebsite is used for the /directory response's "meta" element's
 		// "website" field.
 		DirectoryWebsite string `validate:"required,url"`
-@@ -182,6 +185,8 @@ type Config struct {
+@@ -186,6 +189,8 @@ type Config struct {
 			// to enable the pausing feature.
 			URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"`
 		}
@@ -38,11 +38,12 @@ index cc5930699..8e1a14c3c 100644
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -326,11 +331,25 @@ func main() {
+@@ -330,12 +335,26 @@ func main() {
 	var limiter *ratelimits.Limiter
 	var txnBuilder *ratelimits.TransactionBuilder
 	var limiterRedis *bredis.Ring
 +	var pa *policy.AuthorityImpl
+ 	overridesRefresherShutdown := func() {}
 	if c.WFE.Limiter.Defaults != "" {
 		// Setup rate limiting.
 		limiterRedis, err = bredis.NewRingFromConfig(*c.WFE.Limiter.Redis, stats, logger)
@@ -64,7 +65,7 @@ index cc5930699..8e1a14c3c 100644
 		source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats)
 		limiter, err = ratelimits.NewLimiter(clk, source, stats)
 		cmd.FailOnError(err, "Failed to create rate limiter")
-@@ -371,6 +390,7 @@ func main() {
+@@ -384,6 +403,7 @@ func main() {
 		unpauseSigner,
 		c.WFE.Unpause.JWTLifetime.Duration,
 		c.WFE.Unpause.URL,
--- a/patches/wfe2_wfe.patch
+++ b/patches/wfe2_wfe.patch
@@ -1,5 +1,5 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index c225c56f3..294ec463f 100644
+index d82a529fc..3a0129c6c 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
@@ -166,6 +166,8 @@ type WebFrontEndImpl struct {
@@ -47,7 +47,7 @@ index c225c56f3..294ec463f 100644
 		if err != nil {
 			return nil, err
 		}
-@@ -2329,7 +2337,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2305,7 +2313,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
 	idents = identifier.Normalize(idents)
 	logEvent.Identifiers = idents