Bump boulder version to release-2024-01-22

2026-01-27 10:19:34 +00:00 · 2024-01-26 20:08:22 +01:00
parent a1a3230ead
commit bef3544d5e
19 changed files with 53 additions and 119 deletions
--- a/build/Dockerfile-boulder
+++ b/build/Dockerfile-boulder
@@ -1,4 +1,4 @@
-FROM letsencrypt/boulder-tools:go1.21.5_2023-12-11 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.21.5_2024-01-17 AS boulder-tools

 FROM ubuntu:focal

--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-01-08"
+boulderTag="release-2024-01-22"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/tmp2.patch
+++ b/build/tmp2.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index 135e6c9e4..04cd88adf 100644
+index 0169251a5..da9ee1565 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -160,6 +160,9 @@ def setupHierarchyOriginal():
+@@ -172,6 +172,9 @@ def setupHierarchyOriginal():
 
 
 def install(race_detection):
--- a/control_do.sh
+++ b/control_do.sh
@@ -27,12 +27,9 @@ setup_boulder_data() {

    sed -i -e "s|https://boulder.service.consul:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/wfe2.json
-    sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json
-    sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json
-    sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json
-    sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json
-    sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca-a.json
-    sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca-b.json
+    sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json
+    sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca.json
+    sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca.json
    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
    sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
    sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -69,14 +69,12 @@ sed -i -e "s/\"directoryCAAIdentity\": \".*\"/\"directoryCAAIdentity\": \"$PKI_D
 if ([ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]) || ([ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ]); then
    perl -i -p0e "s/(\"badResultsOnly\":[^\n]*).*?(\s+)(\"checkPeriod\":)/\1\2\"skipForbiddenDomains\": true,\2\3/igs" config/cert-checker.json
    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"n_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/cert-checker.json
-    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"n_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca-a.json
-    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"n_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca-b.json
+    perl -i -p0e "s/(\"ignoredLints\": \[).*?(\s+)(\"n_subject_common_name_included\")/\1\2\"e_dnsname_not_valid_tld\",\2\3/igs" config/ca.json
 fi

 [ -e ../test/hostname-policy.yaml ] && cp ../test/hostname-policy.yaml ./ || true
 [ -e ../boulder/test/hostname-policy.yaml ] && cp ../boulder/test/hostname-policy.yaml ./ || true
 [ -e hostname-policy.json ] && rm hostname-policy.json || true
-[ -e config/ca.json ] && rm config/ca.json || true
 [ -e config/expired-authz-purger2.json ] && rm config/expired-authz-purger2.json || true
 [ -e config/janitor.json ] && rm config/janitor.json || true
 cat hostname-policy.yaml | tr '\n' '\r' | sed -e "s/\r# Lockdown.*//" | tr '\r' '\n' > hostname-policy.yaml.bak && mv hostname-policy.yaml.bak hostname-policy.yaml
@@ -99,8 +97,7 @@ if [ "$PKI_DOMAIN_MODE" == "whitelist" ] && [ "$PKI_WHITELIST_DOMAINS" != "" ];
    done
 fi
 if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then
-    sed -i -e "s/\(\"n_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca-a.json
-    sed -i -e "s/\(\"n_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca-b.json
+    sed -i -e "s/\(\"n_subject_common_name_included\"\).*\]/\1,\"e_dnsname_not_valid_tld\"\]/" config/ca.json

    REPLACEMENT=""
    if [ "$PKI_DOMAIN_MODE" == "lockdown" ] && [ "$PKI_LOCKDOWN_DOMAINS" != "" ]; then
@@ -127,23 +124,21 @@ fi
 sed -i -e "s/\"shardWidth\": \".*\"/\"shardWidth\": \"$CRLINT\"/" config/crl-updater.json
 sed -i -e "s/\"updatePeriod\": \".*\"/\"updatePeriod\": \"$CRLINT\"/" config/crl-updater.json
 sed -i -e "s/\"lookbackPeriod\": \".*\"/\"lookbackPeriod\": \"$CRLLIFE\"/" config/crl-updater.json
-sed -i -e "s/\"lifespanCRL\": \".*\"/\"lifespanCRL\": \"$CRLLIFE\"/" config/ca-a.json
-sed -i -e "s/\"lifespanCRL\": \".*\"/\"lifespanCRL\": \"$CRLLIFE\"/" config/ca-b.json
+sed -i -e "s/\"lifespanCRL\": \".*\"/\"lifespanCRL\": \"$CRLLIFE\"/" config/ca.json
 rm -f config/contact-exporter.json
 rm -f config/nonce.json
 rm -f config/ocsp-updater.json
 rm -f config/wfe.json
+rm -f config/orphan-finder.json
+rm -f config/ca-a.json
+rm -f config/ca-b.json

-sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca-a.json
-sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca-b.json
-sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca-a.json
-sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca-b.json
-sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca-a.json
-sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca-b.json
+sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca.json
+sed -i -e "s|\"crlURL\": \".*\"|\"crlURL\": \"http://$PKI_FQDN/crl/$PKI_ISSUER_NAME_ID.crl\"|" config/ca.json
+sed -i -e "s|\"crldpBase\": \".*\"|\"crldpBase\": \"http://$PKI_FQDN/crl\"|" config/ca.json

 if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then
-    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca-a.json
-    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca-b.json
+    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/ca.json
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/admin-revoker.json
    sed -i -e "s/\"timeout\": \"15s\"/\"timeout\": \"30s\"/" config/wfe2.json
    sed -i -e "s/\"timeout\": \"20s\"/\"timeout\": \"40s\"/" config/wfe2.json
--- a/gui/chains.go
+++ b/gui/chains.go
@@ -14,8 +14,7 @@ import (
 	"github.com/spf13/viper"
 )

-const caaConfFile = "/opt/boulder/labca/config/ca-a.json"
-const cabConfFile = "/opt/boulder/labca/config/ca-b.json"
+const caConfFile = "/opt/boulder/labca/config/ca.json"
 const wfeConfFile = "/opt/boulder/labca/config/wfe2.json"

 // From boulder: cmd/boulder-wfe2/main.go
@@ -118,7 +117,7 @@ func getCertFileSubject(certFile string) (string, error) {
 }

 func getRawCAChains() []IssuerConfig {
-	caConf, err := os.Open(caaConfFile)
+	caConf, err := os.Open(caConfFile)
 	if err != nil {
 		fmt.Println(err)
 		return nil
@@ -304,26 +303,16 @@ func setUseForLeavesFile(filename, forRSA, forECDSA string) error {
 }

 func setUseForLeaves(forRSA, forECDSA string) error {
-	if err := exec.Command("cp", "-f", caaConfFile, caaConfFile+"_BAK").Run(); err != nil {
-		return errors.New("could not create ca-a backup file: " + err.Error())
-	}
-	if err := exec.Command("cp", "-f", cabConfFile, cabConfFile+"_BAK").Run(); err != nil {
-		return errors.New("could not create ca-b backup file: " + err.Error())
+	if err := exec.Command("cp", "-f", caConfFile, caConfFile+"_BAK").Run(); err != nil {
+		return errors.New("could not create ca backup file: " + err.Error())
 	}

-	if err := setUseForLeavesFile(caaConfFile, forRSA, forECDSA); err != nil {
-		exec.Command("mv", caaConfFile+"_BAK", caaConfFile).Run()
-		exec.Command("mv", cabConfFile+"_BAK", cabConfFile).Run()
-		return err
-	}
-	if err := setUseForLeavesFile(cabConfFile, forRSA, forECDSA); err != nil {
-		exec.Command("mv", caaConfFile+"_BAK", caaConfFile).Run()
-		exec.Command("mv", cabConfFile+"_BAK", cabConfFile).Run()
+	if err := setUseForLeavesFile(caConfFile, forRSA, forECDSA); err != nil {
+		exec.Command("mv", caConfFile+"_BAK", caConfFile).Run()
 		return err
 	}

-	exec.Command("rm", caaConfFile+"_BAK").Run()
-	exec.Command("rm", cabConfFile+"_BAK").Run()
+	exec.Command("rm", caConfFile+"_BAK").Run()

 	if forRSA != "" {
 		viper.Set("certs.issuerRSA", forRSA)
@@ -336,4 +325,4 @@ func setUseForLeaves(forRSA, forECDSA string) error {
 	}

 	return nil
-}
+}
--- a/11
+++ b/11
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-01-08"
+boulderTag="release-2024-01-22"

 # Feature flags
 flag_skip_redis=true
@@ -666,12 +666,9 @@ config_boulder() {
        cd "$boulderLabCADir"
        sed -i -e "s|https://boulder.service.consul:4431/terms/v7|https://$LABCA_FQDN/terms/v1|" config/wfe2.json
        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/wfe2.json
-        sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-a.json
-        sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca-b.json
-        sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-a.json
-        sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca-b.json
-        sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca-a.json
-        sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca-b.json
+        sed -i -e "s|http://127.0.0.1:4002/|http://$LABCA_FQDN/ocsp/|g" config/ca.json
+        sed -i -e "s|http://example.com/cps|http://$LABCA_FQDN/cps/|g" config/ca.json
+        sed -i -e "s|http://example.com/crl|http://$LABCA_FQDN/crl/|g" config/ca.json
        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va.json
        sed -i -e "s|boulder.service.consul:4001|$LABCA_FQDN|g" config/va.json
        sed -i -e "s|boulder.service.consul:4000|$LABCA_FQDN|g" config/va-remote-a.json
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -15,8 +15,7 @@ boulderLabCADir="${2:-labca}"
 $SUDO patch -p1 -o "$boulderLabCADir/entrypoint.sh" < $cloneDir/patches/entrypoint.patch
 cp test/startservers.py "$boulderLabCADir/startservers.py"

-$SUDO patch -p1 -o "$boulderLabCADir/config/ca-a.json" < $cloneDir/patches/test_config_ca_a.patch
-$SUDO patch -p1 -o "$boulderLabCADir/config/ca-b.json" < $cloneDir/patches/test_config_ca_b.patch
+$SUDO patch -p1 -o "$boulderLabCADir/config/ca.json" < $cloneDir/patches/test_config_ca.patch

 $SUDO patch -p1 -o "$boulderLabCADir/config/expiration-mailer.json" < $cloneDir/patches/config_expiration-mailer.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/notify-mailer.json" < $cloneDir/patches/config_notify-mailer.patch
@@ -68,15 +67,13 @@ sed -i -e "s/5002/80/g" config/va-remote-a.json
 sed -i -e "s/5001/443/g" config/va-remote-b.json
 sed -i -e "s/5002/80/g" config/va-remote-b.json
 sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json
-sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-a.json
-sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca-b.json
+sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json
 sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/ra.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-a.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/va-remote-b.json
-sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca-a.json
-sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca-b.json
+sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/ca.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-a.json
 sed -i -e "s/\"stdoutlevel\": 4,/\"stdoutlevel\": 6,/" config/va-remote-b.json

--- a/patches/ca_crl.patch
+++ b/patches/ca_crl.patch
@@ -1,13 +1,13 @@
 diff --git a/ca/crl.go b/ca/crl.go
-index 10cbde3e2..91db977c4 100644
+index 3232ab419..ce6f76e36 100644
 --- a/ca/crl.go
 +++ b/ca/crl.go
@@ -117,7 +117,7 @@ func (ci *crlImpl) GenerateCRL(stream capb.CRLGenerator_GenerateCRLServer) error
 	}
 
 	// Add the Issuing Distribution Point extension.
-	idp, err := makeIDPExt(ci.idpBase, issuer.Cert.NameID(), shard)
-+	idp, err := makeIDPExt(ci.idpBase, issuer.Cert.NameID())
+-	idp, err := makeIDPExt(ci.idpBase, issuer.NameID(), shard)
+	idp, err := makeIDPExt(ci.idpBase, issuer.NameID())
 	if err != nil {
 		return fmt.Errorf("creating IDP extension: %w", err)
 	}
@@ -28,8 +28,8 @@ index 10cbde3e2..91db977c4 100644
 // makeIDPExt returns a critical IssuingDistributionPoint extension containing a
 // URI built from the base url, the issuer's NameID, and the shard number. It
 // also sets the OnlyContainsUserCerts boolean to true.
-func makeIDPExt(base string, issuer issuance.IssuerNameID, shardIdx int64) (*pkix.Extension, error) {
-+func makeIDPExt(base string, issuer issuance.IssuerNameID) (*pkix.Extension, error) {
+-func makeIDPExt(base string, issuer issuance.NameID, shardIdx int64) (*pkix.Extension, error) {
+func makeIDPExt(base string, issuer issuance.NameID) (*pkix.Extension, error) {
 	val := issuingDistributionPoint{
 		DistributionPoint: distributionPointName{
 			[]asn1.RawValue{ // GeneralNames
--- a/patches/config_bad-key-revoker.patch
+++ b/patches/config_bad-key-revoker.patch
@@ -16,7 +16,7 @@ index f4696dc2..b9c19ce3 100644
 		"tls": {
 			"caCertFile": "test/grpc-creds/minica.pem",
 			"certFile": "test/grpc-creds/bad-key-revoker.boulder/cert.pem",
-@@ -27,7 +34,7 @@
+@@ -32,7 +39,7 @@
 		},
 		"maximumRevocations": 15,
 		"findCertificatesBatchSize": 10,
--- a/patches/config_crl-updater.patch
+++ b/patches/config_crl-updater.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/crl-updater.json b/test/config/crl-updater.json
 index f6b70123f..a6c1471e5 100644
 --- a/test/config/crl-updater.json
 +++ b/test/config/crl-updater.json
-@@ -22,16 +22,14 @@
+@@ -36,16 +36,14 @@
 			"hostOverride": "crl-storer.boulder"
 		},
 		"issuerCerts": [
--- a/patches/config_ocsp-responder.patch
+++ b/patches/config_ocsp-responder.patch
@@ -25,7 +25,7 @@ index bfea858d..fecea919 100644
 		"tls": {
 			"caCertFile": "test/grpc-creds/minica.pem",
 			"certFile": "test/grpc-creds/ocsp-responder.boulder/cert.pem",
-@@ -39,9 +23,7 @@
+@@ -49,9 +33,7 @@
 		"path": "/",
 		"listenAddress": "0.0.0.0:4002",
 		"issuerCerts": [
--- a/patches/config_wfe2.patch
+++ b/patches/config_wfe2.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/wfe2.json b/test/config/wfe2.json
 index c0093044..e8ba4263 100644
 --- a/test/config/wfe2.json
 +++ b/test/config/wfe2.json
-@@ -56,26 +56,6 @@
+@@ -79,26 +79,6 @@
 			[
 				"/hierarchy/intermediate-cert-rsa-a.pem",
 				"/hierarchy/root-cert-rsa.pem"
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -10,7 +10,7 @@ index 7c62ad078..21bc601b4 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -559,7 +558,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -555,7 +554,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 				contact,
 			)
 		}
--- a/patches/startservers.patch
+++ b/patches/startservers.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index b5fc73439..135e6c9e4 100644
+index 1ddfef04d..0169251a5 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -146,6 +146,9 @@ processes = []
+@@ -158,6 +158,9 @@ processes = []
 challSrvProcess = None
 
 def setupHierarchy():
--- a/patches/storer_storer.patch
+++ b/patches/storer_storer.patch
@@ -1,5 +1,5 @@
 diff --git a/crl/storer/storer.go b/crl/storer/storer.go
-index cd0bf86c0..26e52f789 100644
+index 296852415..00dc7da90 100644
 --- a/crl/storer/storer.go
 +++ b/crl/storer/storer.go
@@ -11,7 +11,11 @@ import (
@@ -19,7 +19,7 @@ index cd0bf86c0..26e52f789 100644
 	s3Client         simpleS3
 	s3Bucket         string
 +	localStorePath   string
- 	issuers          map[issuance.IssuerNameID]*issuance.Certificate
+ 	issuers          map[issuance.NameID]*issuance.Certificate
 	uploadCount      *prometheus.CounterVec
 	sizeHistogram    *prometheus.HistogramVec
@@ -50,6 +55,7 @@ func New(
@@ -72,7 +72,7 @@ index cd0bf86c0..26e52f789 100644
 	return nil
 }
 +
-+func storeLocalFile(path string, nameID issuance.IssuerNameID, crlNumber *big.Int, shardIdx int64, crlBytes io.Reader) error {
+func storeLocalFile(path string, nameID issuance.NameID, crlNumber *big.Int, shardIdx int64, crlBytes io.Reader) error {
 +	// Write the file
 +	fn := fmt.Sprintf("%s%c%d-%d-%d.crl", path, os.PathSeparator, nameID, crlNumber, shardIdx)
 +	out, err := os.Create(fn)
--- a/patches/test_config_ca_a.patch
+++ b/patches/test_config_ca_a.patch
@@ -1,8 +1,8 @@
-diff --git a/test/config/ca-a.json b/test/config/ca-a.json
+diff --git a/test/config/ca.json b/test/config/ca.json
 index 1233a9c95..3c4a0a3ca 100644
--- a/test/config/ca-a.json
-+++ b/test/config/ca-a.json
-@@ -54,35 +54,13 @@
+--- a/test/config/ca.json
+++ b/test/config/ca.json
+@@ -59,35 +59,13 @@
 			},
 			"issuers": [
 				{
--- a/patches/test_config_ca_b.patch
+++ b/patches/test_config_ca_b.patch
@@ -1,41 +0,0 @@
-diff --git a/test/config/ca-b.json b/test/config/ca-b.json
-index 960d62f95..54b25dd81 100644
--- a/test/config/ca-b.json
-+++ b/test/config/ca-b.json
-@@ -54,35 +54,13 @@
- 			},
- 			"issuers": [
- 				{
-					"useForRSALeaves": false,
-					"useForECDSALeaves": true,
-					"issuerURL": "http://127.0.0.1:4001/aia/issuer/5214744660557630",
-					"ocspURL": "http://127.0.0.1:4002/",
-					"location": {
-						"configFile": "/hierarchy/intermediate-signing-key-ecdsa.pkcs11.json",
-						"certFile": "/hierarchy/intermediate-cert-ecdsa-a.pem",
-						"numSessions": 2
-					}
-				},
-				{
- 					"useForRSALeaves": true,
- 					"useForECDSALeaves": true,
- 					"issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741",
- 					"ocspURL": "http://127.0.0.1:4002/",
- 					"location": {
- 						"configFile": "test/test-ca.key-pkcs11.json",
-						"certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
-						"numSessions": 2
-					}
-				},
-				{
-					"useForRSALeaves": false,
-					"useForECDSALeaves": false,
-					"issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
-					"ocspURL": "http://127.0.0.1:4002/",
-					"location": {
-						"configFile": "test/test-ca.key-pkcs11.json",
-						"certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
-+						"certFile": "test/test-ca.pem",
- 						"numSessions": 2
- 					}
- 				}
--- a/patches/updater_continuous.patch
+++ b/patches/updater_continuous.patch
@@ -1,5 +1,5 @@
 diff --git a/crl/updater/continuous.go b/crl/updater/continuous.go
-index 05f1d1bf..1c678a9c 100644
+index e4552f68f..7aaef33c0 100644
 --- a/crl/updater/continuous.go
 +++ b/crl/updater/continuous.go
@@ -3,6 +3,7 @@ package updater
@@ -37,6 +37,6 @@ index 05f1d1bf..1c678a9c 100644
 +		cu.RunOnce(ctx)
 +	}
 +
- 	shardWorker := func(issuerNameID issuance.IssuerNameID, shardIdx int) {
+ 	shardWorker := func(issuerNameID issuance.NameID, shardIdx int) {
 		defer wg.Done()