diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 09e836b..2f47ca9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.18.4
+          - 1.20.3
 
     steps:
       - name: Checkout
diff --git a/build/build.sh b/build/build.sh
index 25bfbd0..3e1c974 100755
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2023-04-04"
+boulderTag="release-2023-04-17"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 
diff --git a/build/tmp.patch b/build/tmp.patch
index b3e018f..0e5d275 100644
--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -9,7 +9,7 @@ index cfdcc784a..b50c8b18d 100644
    boulder:
      # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
 -    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.3_2023-04-04}
-+    image: ghcr.io/hakwerk/labca-boulder:dockeronly
++    image: ghcr.io/hakwerk/labca-boulder:latest
      environment:
        # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
        # to the IP address where your ACME client's solver is listening.
@@ -55,7 +55,7 @@ index cfdcc784a..b50c8b18d 100644
  
    gui:
 -    image: *boulder_image
-+    image: ghcr.io/hakwerk/labca-gui:dockeronly
++    image: ghcr.io/hakwerk/labca-gui:latest
      networks:
        - bluenet
      volumes:
@@ -97,7 +97,7 @@ index cfdcc784a..b50c8b18d 100644
  
    control:
 -    image: *boulder_image
-+    image: ghcr.io/hakwerk/labca-control:dockeronly
++    image: ghcr.io/hakwerk/labca-control:latest
      networks:
        - bluenet
      volumes:
diff --git a/install b/install
index 124edfa..203381e 100755
--- a/install
+++ b/install
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2023-04-04"
+boulderTag="release-2023-04-17"
 
 # Feature flags
 flag_skip_redis=true
diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch
index 3819060..98ecf0e 100644
--- a/patches/boulder-va_main.patch
+++ b/patches/boulder-va_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index c91be2a79..4ed591e10 100644
+index f3390749c..488125d71 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
 @@ -24,8 +24,10 @@ type Config struct {
@@ -30,6 +30,6 @@ index c91be2a79..4ed591e10 100644
  	}
 -	servers, err = bdns.StartDynamicProvider(c.VA.DNSResolver, 60*time.Second)
 -	cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
+ 	defer servers.Stop()
  
  	var resolver bdns.Client
- 	if !(c.VA.DNSAllowLoopbackAddresses || c.Common.DNSAllowLoopbackAddresses) {
diff --git a/patches/crl-storer_main.patch b/patches/crl-storer_main.patch
index dd0c399..bd662bb 100644
--- a/patches/crl-storer_main.patch
+++ b/patches/crl-storer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/crl-storer/main.go b/cmd/crl-storer/main.go
-index bc1339957..b8d3b052a 100644
+index 36b9d2fc6..de60aa899 100644
 --- a/cmd/crl-storer/main.go
 +++ b/cmd/crl-storer/main.go
 @@ -46,6 +46,9 @@ type Config struct {
@@ -20,4 +20,4 @@ index bc1339957..b8d3b052a 100644
 +	csi, err := storer.New(issuers, s3client, c.CRLStorer.S3Bucket, c.CRLStorer.LocalStorePath, scope, logger, clk)
  	cmd.FailOnError(err, "Failed to create CRLStorer impl")
  
- 	start, stop, err := bgrpc.NewServer(c.CRLStorer.GRPC).Add(
+ 	start, err := bgrpc.NewServer(c.CRLStorer.GRPC).Add(
diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch
index 2a160fc..8fe906b 100644
--- a/patches/expiration-mailer_main.patch
+++ b/patches/expiration-mailer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
-index d81ebed67..0d8608c4e 100644
+index 09589b56d..4e83ffa54 100644
 --- a/cmd/expiration-mailer/main.go
 +++ b/cmd/expiration-mailer/main.go
 @@ -23,6 +23,7 @@ import (
@@ -31,7 +31,7 @@ index d81ebed67..0d8608c4e 100644
  		// Path to a file containing a list of trusted root certificates for use
  		// during the SMTP connection (as opposed to the gRPC connections).
  		SMTPTrustedRootFile string
-@@ -827,6 +833,29 @@ func main() {
+@@ -832,6 +838,29 @@ func main() {
  	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
  	sac := sapb.NewStorageAuthorityClient(conn)
  
@@ -61,7 +61,7 @@ index d81ebed67..0d8608c4e 100644
  	var smtpRoots *x509.CertPool
  	if c.Mailer.SMTPTrustedRootFile != "" {
  		pem, err := os.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -862,6 +891,7 @@ func main() {
+@@ -867,6 +896,7 @@ func main() {
  		c.Mailer.Username,
  		smtpPassword,
  		smtpRoots,
diff --git a/patches/linter_linter.patch b/patches/linter_linter.patch
index c67b962..8143bf8 100644
--- a/patches/linter_linter.patch
+++ b/patches/linter_linter.patch
@@ -1,8 +1,8 @@
 diff --git a/linter/linter.go b/linter/linter.go
-index c6c1fda3..36b46934 100644
+index 957930ab0..dbb1d9214 100644
 --- a/linter/linter.go
 +++ b/linter/linter.go
-@@ -149,10 +149,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
+@@ -155,10 +155,21 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
  		SubjectKeyId:                realIssuer.SubjectKeyId,
  		URIs:                        realIssuer.URIs,
  		UnknownExtKeyUsage:          realIssuer.UnknownExtKeyUsage,
diff --git a/patches/test_config_ca_a.patch b/patches/test_config_ca_a.patch
index 1b9ac4b..0b8a80c 100644
--- a/patches/test_config_ca_a.patch
+++ b/patches/test_config_ca_a.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json
 index 1233a9c95..3c4a0a3ca 100644
 --- a/test/config/ca-a.json
 +++ b/test/config/ca-a.json
-@@ -104,30 +104,7 @@
+@@ -71,30 +71,7 @@
  					"crlURL": "http://example.com/crl",
  					"location": {
  						"configFile": "test/test-ca.key-pkcs11.json",
diff --git a/patches/test_config_ca_b.patch b/patches/test_config_ca_b.patch
index 4aad2a8..1f4576b 100644
--- a/patches/test_config_ca_b.patch
+++ b/patches/test_config_ca_b.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json
 index 960d62f95..54b25dd81 100644
 --- a/test/config/ca-b.json
 +++ b/test/config/ca-b.json
-@@ -104,30 +104,7 @@
+@@ -71,30 +71,7 @@
  					"crlURL": "http://example.com/crl",
  					"location": {
  						"configFile": "test/test-ca.key-pkcs11.json",
diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch
index a8320d4..771ec54 100644
--- a/patches/updater_updater.patch
+++ b/patches/updater_updater.patch
@@ -1,5 +1,5 @@
 diff --git a/crl/updater/updater.go b/crl/updater/updater.go
-index aa398d0a..0db875d2 100644
+index 7d28c6e23..9f663706b 100644
 --- a/crl/updater/updater.go
 +++ b/crl/updater/updater.go
 @@ -8,6 +8,7 @@ import (
@@ -40,7 +40,16 @@ index aa398d0a..0db875d2 100644
  	// We don't want the times at which crlUpdater runs to be dependent on when
  	// the process starts. So wait until the appropriate time before kicking off
  	// the first run and the main ticker loop.
-@@ -319,7 +343,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam
+@@ -141,7 +165,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error {
+ 	// counting from the appropriate time.
+ 	ticker := time.NewTicker(cu.updatePeriod)
+ 	atTime := cu.clk.Now()
+-	err := cu.Tick(ctx, atTime)
++	err = cu.Tick(ctx, atTime)
+ 	if err != nil {
+ 		// We only log, rather than return, so that the long-lived process can
+ 		// continue and try again at the next tick.
+@@ -327,7 +351,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam
  			crlEntries = append(crlEntries, entry)
  		}