Bump boulder version to release-2022-02-01

install

@@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2021-12-06"
+boulderTag="release-2022-02-01"
 
 # Feature flags
 flag_skip_redis=true
@@ -588,6 +588,9 @@ config_boulder() {
     sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/patches/config_bad-key-revoker.patch &>>$installLog
     sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/patches/config_ocsp-responder.patch &>>$installLog
     sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/config_publisher.patch &>>$installLog
+    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch &>>$installLog
+    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/rocsp-tool.json" < $cloneDir/patches/config_rocsp-tool.patch &>>$installLog
+    sudo -u labca -H patch -p1 -o "$boulderLabCADir/config/orphan-finder.json" < $cloneDir/patches/config_orphan-finder.patch &>>$installLog
 
     sed -i -e "s|https://letsencrypt.org/docs/rate-limits/|http://$LABCA_FQDN/rate-limits|" errors/errors.go &>>$installLog
     cp errors/errors.go "$boulderLabCADir/.backup/"
@@ -619,7 +622,15 @@ config_boulder() {
     sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/ra.json
     sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe.json
     sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/wfe2.json
+    sed -i -e "s|.hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/rocsp-tool.json
+    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" config/orphan-finder.json
+    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" issuer-ocsp-responder.json
+    sed -i -e "s|/hierarchy/intermediate-cert-rsa-a.pem|labca/test-ca.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
+    sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/root-ceremony-rsa.yaml
+    sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ocsp-rsa.yaml
+    sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" cert-ceremonies/intermediate-ceremony-rsa.yaml
     sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/publisher.json
+    sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" config/wfe2.json
     sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" integration-test.py
     sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" helpers.py
     sed -i -e "s|/hierarchy/root-cert-rsa.pem|labca/test-root.pem|" v1_integration.py
@@ -746,6 +757,7 @@ startup() {
     fi
     msg_info "$msg (this will take a while!!)"
 
+    docker-compose pull -q &>>$installLog
     docker-compose stop &>>$installLog || true
     for ct in boulder_bhsm_1 boulder_bredis_1 boulder_bredis_2 boulder_bredis_3 boulder_bredis_4 boulder_bredis_5 boulder_bredis_6; do
         [ -z "$(docker ps | grep $ct)" ] || docker stop $ct &>>$installLog

patches/bad-key-revoker_main.patch

@@ -1,5 +1,5 @@
 diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
-index 3f3a953d3..c02b4dfc1 100644
+index 8ae11c24..ce24a792 100644
 --- a/cmd/bad-key-revoker/main.go
 +++ b/cmd/bad-key-revoker/main.go
 @@ -15,6 +15,7 @@ import (
@@ -10,30 +10,30 @@ index 3f3a953d3..c02b4dfc1 100644
  	"github.com/letsencrypt/boulder/cmd"
  	"github.com/letsencrypt/boulder/core"
  	"github.com/letsencrypt/boulder/db"
-@@ -352,6 +353,9 @@ func main() {
- 			TLS       cmd.TLSConfig
- 			RAService *cmd.GRPCClientConfig
+@@ -351,6 +352,9 @@ type Config struct {
+ 		TLS       cmd.TLSConfig
+ 		RAService *cmd.GRPCClientConfig
  
-+			DNSTries     int
-+			DNSResolvers []string
++		DNSTries     int
++		DNSResolvers []string
 +
- 			// MaximumRevocations specifies the maximum number of certificates associated with
- 			// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
- 			// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
-@@ -385,6 +389,12 @@ func main() {
+ 		// MaximumRevocations specifies the maximum number of certificates associated with
+ 		// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
+ 		// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
+@@ -384,6 +388,12 @@ type Config struct {
  
- 		Syslog  cmd.SyslogConfig
- 		Beeline cmd.BeelineConfig
+ 	Syslog  cmd.SyslogConfig
+ 	Beeline cmd.BeelineConfig
 +
-+		Common struct {
-+			DNSResolver               string
-+			DNSTimeout                string
-+			DNSAllowLoopbackAddresses bool
-+		}
- 	}
- 	configPath := flag.String("config", "", "File path to the configuration file for this service")
- 	flag.Parse()
-@@ -434,6 +444,32 @@ func main() {
++	Common struct {
++		DNSResolver               string
++		DNSTimeout                string
++		DNSAllowLoopbackAddresses bool
++	}
+ }
+ 
+ func main() {
+@@ -421,6 +431,32 @@ func main() {
  	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
  	rac := rapb.NewRegistrationAuthorityClient(conn)
  
@@ -66,7 +66,7 @@ index 3f3a953d3..c02b4dfc1 100644
  	var smtpRoots *x509.CertPool
  	if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
  		pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
-@@ -455,6 +491,7 @@ func main() {
+@@ -442,6 +478,7 @@ func main() {
  		config.BadKeyRevoker.Mailer.Username,
  		smtpPassword,
  		smtpRoots,

patches/cert-checker_main.patch

@@ -1,20 +1,20 @@
 diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go
-index fbdd9bb8..dc7fa4fd 100644
+index cfc72632..de4b01ca 100644
 --- a/cmd/cert-checker/main.go
 +++ b/cmd/cert-checker/main.go
-@@ -90,9 +90,10 @@ type certChecker struct {
+@@ -93,9 +93,10 @@ type certChecker struct {
  	issuedReport                report
  	checkPeriod                 time.Duration
  	acceptableValidityDurations map[time.Duration]bool
 +	skipForbiddenDomains        bool
  }
  
--func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool) certChecker {
-+func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period time.Duration, avd map[time.Duration]bool, sfd bool) certChecker {
+-func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, kp goodkey.KeyPolicy, period time.Duration, avd map[time.Duration]bool) certChecker {
++func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, kp goodkey.KeyPolicy, period time.Duration, avd map[time.Duration]bool, sfd bool) certChecker {
  	return certChecker{
  		pa:                          pa,
- 		dbMap:                       saDbMap,
-@@ -102,6 +103,7 @@ func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, period
+ 		kp:                          kp,
+@@ -106,6 +107,7 @@ func newChecker(saDbMap certDB, clk clock.Clock, pa core.PolicyAuthority, kp goo
  		issuedReport:                report{Entries: make(map[string]reportEntry)},
  		checkPeriod:                 period,
  		acceptableValidityDurations: avd,
@@ -22,7 +22,7 @@ index fbdd9bb8..dc7fa4fd 100644
  	}
  }
  
-@@ -271,7 +273,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
+@@ -275,7 +277,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
  			err = c.pa.WillingToIssueWildcards([]identifier.ACMEIdentifier{id})
  			if err != nil {
  				problems = append(problems, fmt.Sprintf("Policy Authority isn't willing to issue for '%s': %s", name, err))
@@ -31,7 +31,7 @@ index fbdd9bb8..dc7fa4fd 100644
  				// For defense-in-depth, even if the PA was willing to issue for a name
  				// we double check it against a list of forbidden domains. This way even
  				// if the hostnamePolicyFile malfunctions we will flag the forbidden
-@@ -309,11 +311,12 @@ type config struct {
+@@ -326,11 +328,12 @@ type Config struct {
  		DB cmd.DBConfig
  		cmd.HostnamePolicyConfig
  
@@ -49,7 +49,7 @@ index fbdd9bb8..dc7fa4fd 100644
  
  		// AcceptableValidityDurations is a list of durations which are
  		// acceptable for certificates we issue.
-@@ -364,6 +367,8 @@ func main() {
+@@ -386,6 +389,8 @@ func main() {
  		acceptableValidityDurations[ninetyDays] = true
  	}
  
@@ -58,8 +58,8 @@ index fbdd9bb8..dc7fa4fd 100644
  	// Validate PA config and set defaults if needed.
  	cmd.FailOnError(config.PA.CheckChallenges(), "Invalid PA configuration")
  
-@@ -412,6 +417,7 @@ func main() {
- 		pa,
+@@ -421,6 +426,7 @@ func main() {
+ 		kp,
  		config.CertChecker.CheckPeriod.Duration,
  		acceptableValidityDurations,
 +		skipForbiddenDomains,

patches/cmd_shell.patch

@@ -2,7 +2,7 @@ diff --git a/cmd/shell.go b/cmd/shell.go
 index 38f1edaf4..795815483 100644
 --- a/cmd/shell.go
 +++ b/cmd/shell.go
-@@ -165,7 +165,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
+@@ -173,7 +173,7 @@ func NewLogger(logConf SyslogConfig) blog.Logger {
  	// Boulder's conception of time.
  	go func() {
  		for {

patches/config_orphan-finder.patch

@@ -0,0 +1,15 @@
+diff --git a/test/config/orphan-finder.json b/test/config/orphan-finder.json
+index 9ed90276..7c9158d0 100644
+--- a/test/config/orphan-finder.json
++++ b/test/config/orphan-finder.json
+@@ -1,9 +1,7 @@
+ {
+   "backdate": "1h",
+   "issuerCerts": [
+-    "/hierarchy/intermediate-cert-rsa-a.pem",
+-    "/hierarchy/intermediate-cert-rsa-b.pem",
+-    "/hierarchy/intermediate-cert-ecdsa-a.pem"
++    "/hierarchy/intermediate-cert-rsa-a.pem"
+   ],
+ 
+ 

patches/config_rocsp-tool.patch

@@ -0,0 +1,16 @@
+diff --git a/test/config/rocsp-tool.json b/test/config/rocsp-tool.json
+index 9b0a1d13..eace2cf9 100644
+--- a/test/config/rocsp-tool.json
++++ b/test/config/rocsp-tool.json
+@@ -34,10 +34,7 @@
+       }
+     },
+     "issuers": {
+-      ".hierarchy/intermediate-cert-ecdsa-a.pem": 1,
+-      ".hierarchy/intermediate-cert-ecdsa-b.pem": 2,
+-      ".hierarchy/intermediate-cert-rsa-a.pem": 3,
+-      ".hierarchy/intermediate-cert-rsa-b.pem": 4
++      ".hierarchy/intermediate-cert-rsa-a.pem": 1
+     }
+   }
+ }

patches/config_wfe2.patch

@@ -0,0 +1,23 @@
+diff --git a/test/config/wfe2.json b/test/config/wfe2.json
+index c0093044..e8ba4263 100644
+--- a/test/config/wfe2.json
++++ b/test/config/wfe2.json
+@@ -43,18 +43,6 @@
+       [
+         "/hierarchy/intermediate-cert-rsa-a.pem",
+         "/hierarchy/root-cert-rsa.pem"
+-      ],
+-      [
+-        "/hierarchy/intermediate-cert-rsa-b.pem",
+-        "/hierarchy/root-cert-rsa.pem"
+-      ],
+-      [
+-        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+-        "/hierarchy/root-cert-ecdsa.pem"
+-      ],
+-      [
+-        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+-        "/hierarchy/root-cert-ecdsa.pem"
+       ]
+     ],
+     "staleTimeout": "5m",

patches/contact-auditor_main.patch

@@ -1,15 +1,15 @@
 diff --git a/cmd/contact-auditor/main.go b/cmd/contact-auditor/main.go
-index 88792e42a..26dfed7e5 100644
+index e595af47..b00458c5 100644
 --- a/cmd/contact-auditor/main.go
 +++ b/cmd/contact-auditor/main.go
 @@ -12,6 +12,7 @@ import (
  	"time"
  
- 	"github.com/go-sql-driver/mysql"
-+	"github.com/letsencrypt/boulder/core"
  	"github.com/letsencrypt/boulder/cmd"
++	"github.com/letsencrypt/boulder/core"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/policy"
+ 	"github.com/letsencrypt/boulder/sa"
 @@ -49,9 +50,12 @@ func validateContacts(id int64, createdAt string, contacts []string) error {
  		fmt.Fprintf(&probsBuff, "%d\t%s\tvalidation\t%q\t%q\n", id, createdAt, contact, prob)
  	}

patches/core_interfaces.patch

@@ -2,7 +2,7 @@ diff --git a/core/interfaces.go b/core/interfaces.go
 index d19eb4fb8..3ae50d737 100644
 --- a/core/interfaces.go
 +++ b/core/interfaces.go
-@@ -50,4 +50,5 @@ type PolicyAuthority interface {
+@@ -11,4 +11,5 @@ type PolicyAuthority interface {
  	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
  	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
  	ChallengeTypeEnabled(t AcmeChallenge) bool

patches/docker-compose-redis.patch

@@ -11,7 +11,7 @@ index c1d54f23..2b6de7cb 100644
      # Use sd-test-srv as a backup to Docker's embedded DNS server
      # (https://docs.docker.com/config/containers/container-networking/#dns-services).
      # If there's a name Docker's DNS server doesn't know about, it will
-@@ -36,7 +34,6 @@ services:
+@@ -34,7 +32,6 @@ services:
        - 8055:8055 # dns-test-srv updates
      depends_on:
        - bmysql
@@ -19,7 +19,7 @@ index c1d54f23..2b6de7cb 100644
      entrypoint: labca/entrypoint.sh
      working_dir: &boulder_working_dir /go/src/github.com/letsencrypt/boulder
      logging:
-@@ -69,78 +66,6 @@ services:
+@@ -67,78 +64,6 @@ services:
          max-file: "5"
      restart: always
  
@@ -98,7 +98,7 @@ index c1d54f23..2b6de7cb 100644
  
    labca:
      image: *boulder_image
-@@ -181,10 +106,3 @@ networks:
+@@ -179,10 +104,3 @@ networks:
        driver: default
        config:
          - subnet: 10.88.88.0/24

patches/docker-compose.patch

@@ -3,7 +3,7 @@ index f515225e4..c1d54f235 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -4,10 +4,11 @@ services:
-     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17_2021-10-22}
+     image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.17.5_2022-01-13}
      environment:
        FAKE_DNS: 10.77.77.77
 -      BOULDER_CONFIG_DIR: test/config
@@ -15,7 +15,7 @@ index f515225e4..c1d54f235 100644
        - ./.gocache:/root/.cache/go-build:cached
        - ./.hierarchy:/hierarchy/:cached
        - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
-@@ -36,11 +37,19 @@ services:
+@@ -34,11 +35,19 @@ services:
      depends_on:
        - bmysql
        - bredis_clusterer
@@ -36,7 +36,7 @@ index f515225e4..c1d54f235 100644
      networks:
        bluenet:
          aliases:
-@@ -54,7 +63,11 @@ services:
+@@ -52,7 +61,11 @@ services:
      # small.
      command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
      logging:
@@ -49,7 +49,7 @@ index f515225e4..c1d54f235 100644
  
    bredis_1:
      image: redis:latest
-@@ -129,18 +142,31 @@ services:
+@@ -127,18 +140,31 @@ services:
            aliases:
              - boulder-redis-clusterer
  

patches/expiration-mailer_main.patch

@@ -1,5 +1,5 @@
 diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
-index 862ed2fe7..e8b0aac3d 100644
+index f488b73c..ef2ed34a 100644
 --- a/cmd/expiration-mailer/main.go
 +++ b/cmd/expiration-mailer/main.go
 @@ -22,6 +22,7 @@ import (
@@ -19,7 +19,7 @@ index 862ed2fe7..e8b0aac3d 100644
  )
  
  type regStore interface {
-@@ -408,6 +409,9 @@ type config struct {
+@@ -409,6 +410,9 @@ type Config struct {
  		TLS       cmd.TLSConfig
  		SAService *cmd.GRPCClientConfig
  
@@ -29,7 +29,7 @@ index 862ed2fe7..e8b0aac3d 100644
  		// Path to a file containing a list of trusted root certificates for use
  		// during the SMTP connection (as opposed to the gRPC connections).
  		SMTPTrustedRootFile string
-@@ -417,6 +421,12 @@ type config struct {
+@@ -418,6 +422,12 @@ type Config struct {
  
  	Syslog  cmd.SyslogConfig
  	Beeline cmd.BeelineConfig
@@ -42,7 +42,7 @@ index 862ed2fe7..e8b0aac3d 100644
  }
  
  func initStats(stats prometheus.Registerer) mailerStats {
-@@ -535,6 +545,32 @@ func main() {
+@@ -520,6 +530,32 @@ func main() {
  	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
  	sac := sapb.NewStorageAuthorityClient(conn)
  
@@ -75,7 +75,7 @@ index 862ed2fe7..e8b0aac3d 100644
  	var smtpRoots *x509.CertPool
  	if c.Mailer.SMTPTrustedRootFile != "" {
  		pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -570,6 +606,7 @@ func main() {
+@@ -555,6 +591,7 @@ func main() {
  		c.Mailer.Username,
  		smtpPassword,
  		smtpRoots,

patches/notify-mailer_main.patch

@@ -1,8 +1,8 @@
 diff --git a/cmd/notify-mailer/main.go b/cmd/notify-mailer/main.go
-index fa2aac74e..08430ee10 100644
+index f281d85c..449845dc 100644
 --- a/cmd/notify-mailer/main.go
 +++ b/cmd/notify-mailer/main.go
-@@ -37,6 +37,7 @@ type mailer struct {
+@@ -36,6 +36,7 @@ type mailer struct {
  	recipients    []recipient
  	targetRange   interval
  	sleepInterval time.Duration
@@ -10,26 +10,26 @@ index fa2aac74e..08430ee10 100644
  }
  
  // interval defines a range of email addresses to send to in alphabetical order.
-@@ -151,7 +152,7 @@ func (m *mailer) run() error {
+@@ -152,7 +153,7 @@ func (m *mailer) run() error {
  			continue
  		}
  
--		if err := policy.ValidEmail(address); err != nil {
-+		if err := m.pa.ValidEmail(address); err != nil {
+-		err := policy.ValidEmail(address)
++		err := m.pa.ValidEmail(address)
+ 		if err != nil {
  			m.log.Infof("Skipping %q due to policy violation: %s", address, err)
  			continue
- 		}
-@@ -477,7 +478,9 @@ func main() {
- 		NotifyMailer struct {
- 			DB cmd.DBConfig
- 			cmd.SMTPConfig
-+			cmd.HostnamePolicyConfig
- 		}
-+		PA cmd.PAConfig
- 		Syslog cmd.SyslogConfig
+@@ -448,7 +449,9 @@ type Config struct {
+ 	NotifyMailer struct {
+ 		DB cmd.DBConfig
+ 		cmd.SMTPConfig
++		cmd.HostnamePolicyConfig
  	}
++	PA cmd.PAConfig
+ 	Syslog cmd.SyslogConfig
+ }
  
-@@ -531,6 +534,14 @@ func main() {
+@@ -512,6 +515,14 @@ func main() {
  		log.Infof("While reading the recipient list file %s", probs)
  	}
  
@@ -44,7 +44,7 @@ index fa2aac74e..08430ee10 100644
  	var mailClient bmail.Mailer
  	if *dryRun {
  		log.Infof("Starting %s in dry-run mode", cmd.VersionString())
-@@ -546,6 +557,7 @@ func main() {
+@@ -527,6 +538,7 @@ func main() {
  			cfg.NotifyMailer.Username,
  			smtpPassword,
  			nil,
@@ -52,7 +52,7 @@ index fa2aac74e..08430ee10 100644
  			*address,
  			log,
  			metrics.NoopRegisterer,
-@@ -566,6 +578,7 @@ func main() {
+@@ -547,6 +559,7 @@ func main() {
  			end:   *end,
  		},
  		sleepInterval: *sleep,

patches/policy_pa.patch

@@ -1,5 +1,5 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index 7dd9c37cd..43410e3f9 100644
+index d3494495..184f7186 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
 @@ -31,6 +31,8 @@ type AuthorityImpl struct {
@@ -79,28 +79,29 @@ index 7dd9c37cd..43410e3f9 100644
  	}
  	splitEmail := strings.SplitN(email.Address, "@", -1)
  	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
--	if err := ValidDomain(domain); err != nil {
-+	if err := pa.ValidDomain(domain); err != nil {
+-	err = ValidDomain(domain)
++	err = pa.ValidDomain(domain)
+ 	if err != nil {
  		return berrors.InvalidEmailError(
  			"contact email %q has invalid domain : %s",
- 			email.Address, err)
-@@ -365,10 +388,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -369,11 +392,15 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
  	}
  	domain := id.Value
  
--	if err := ValidDomain(domain); err != nil {
-+	if err := pa.ValidDomain(domain); err != nil {
+-	err := ValidDomain(domain)
++	err := pa.ValidDomain(domain)
+ 	if err != nil {
  		return err
  	}
  
 +	if ok, _ := pa.checkWhitelist(domain); ok {
-+		return nil
-+	}
++ 		return nil
++ 	}
 +
  	// Require no match against hostname block lists
- 	if err := pa.checkHostLists(domain); err != nil {
- 		return err
-@@ -377,6 +404,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+ 	err = pa.checkHostLists(domain)
+ 	if err != nil {
+@@ -383,6 +410,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
  	return nil
  }
  

patches/ra_ra.patch

@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 275e64a95..873d5c943 100644
+index 1ea20982..937f2859 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
 @@ -31,7 +31,6 @@ import (
@@ -10,12 +10,12 @@ index 275e64a95..873d5c943 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -448,7 +447,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+@@ -454,7 +453,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
  				contact,
  			)
  		}
--		if err := policy.ValidEmail(parsed.Opaque); err != nil {
-+		if err := ra.PA.ValidEmail(parsed.Opaque); err != nil {
+-		err = policy.ValidEmail(parsed.Opaque)
++		err = ra.PA.ValidEmail(parsed.Opaque)
+ 		if err != nil {
  			return err
  		}
- 	}

patches/startservers.patch

@@ -2,7 +2,7 @@ diff --git a/test/startservers.py b/test/startservers.py
 index 0df56a4..14aa548 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -146,6 +146,9 @@ processes = []
+@@ -142,6 +142,9 @@ processes = []
  challSrvProcess = None
  
  def setupHierarchy():

patches/test_config_ca_a.patch

@@ -1,5 +1,5 @@
 diff --git a/test/config/ca-a.json b/test/config/ca-a.json
-index 0be07e4..cd5de49 100644
+index 88c438bf..5ff1a9fb 100644
 --- a/test/config/ca-a.json
 +++ b/test/config/ca-a.json
 @@ -60,19 +60,7 @@
@@ -13,7 +13,7 @@ index 0be07e4..cd5de49 100644
 -        {
 -          "useForRSALeaves": false,
 -          "useForECDSALeaves": false,
--          "issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
+-          "issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
 -          "ocspURL": "http://127.0.0.1:4002/",
 -          "crlURL": "http://example.com/crl",
 -          "location": {

patches/test_config_ca_b.patch

@@ -1,5 +1,5 @@
 diff --git a/test/config/ca-b.json b/test/config/ca-b.json
-index baf5483..0aa6fd4 100644
+index c61ac87e..fb1db942 100644
 --- a/test/config/ca-b.json
 +++ b/test/config/ca-b.json
 @@ -60,19 +60,7 @@
@@ -13,7 +13,7 @@ index baf5483..0aa6fd4 100644
 -        {
 -          "useForRSALeaves": false,
 -          "useForECDSALeaves": false,
--          "issuerURL": "http://127.0.0.1:4000/acme/issuer-cert",
+-          "issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
 -          "ocspURL": "http://127.0.0.1:4002/",
 -          "crlURL": "http://example.com/crl",
 -          "location": {