Bump boulder version to v0.20250902.0

2026-01-27 10:19:34 +00:00 · 2025-09-06 12:39:43 +02:00
parent 4130555e84
commit c23a8762aa
42 changed files with 213 additions and 317 deletions
--- a/.github/workflows/build-standalone.yml
+++ b/.github/workflows/build-standalone.yml
@@ -17,7 +17,7 @@ jobs:
      fail-fast: false
      matrix:
        GO_VERSION:
-          - 1.24.4
+          - 1.25.0

    steps:
      - name: Checkout
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -20,7 +20,7 @@ jobs:
      fail-fast: false
      matrix:
        GO_VERSION:
-          - 1.24.4
+          - 1.25.0

    steps:
      - uses: actions/checkout@v5
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
      fail-fast: false
      matrix:
        GO_VERSION:
-          - 1.24.4
+          - 1.25.0

    steps:
      - name: Checkout
--- a/build/Dockerfile-boulder
+++ b/build/Dockerfile-boulder
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM letsencrypt/boulder-tools:go1.24.4_2025-06-06 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.25.0_2025-08-15 AS boulder-tools

 FROM ubuntu:noble

--- a/build/Dockerfile-control
+++ b/build/Dockerfile-control
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM letsencrypt/boulder-tools:go1.24.4_2025-06-06 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.25.0_2025-08-15 AS boulder-tools

 FROM ubuntu:noble AS builder

--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="v0.20250728.0"
+boulderTag="v0.20250902.0"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/docker-compose.yml
+++ b/build/docker-compose.yml
@@ -9,7 +9,7 @@ services:
      context: test/boulder-tools/
      # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
      args:
-        GO_VERSION: 1.24.1
+        GO_VERSION: 1.25.0
    environment:
      # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
      # to the IP address where your ACME client's solver is listening. This is
@@ -17,7 +17,6 @@ services:
      FAKE_DNS: 64.112.117.122
      BOULDER_CONFIG_DIR: labca/config
      GOCACHE: /boulder/.gocache/go-build
-      GOFLAGS: -mod=vendor
    volumes:
      - boulder_data:/opt/boulder/labca
      - certificates:/opt/boulder/labca/certs
@@ -51,7 +50,6 @@ services:
      - "integration.trust:64.112.117.122"
    ports:
      - 4001:4001 # ACMEv2
-      - 4002:4002 # OCSP
      - 4003:4003 # SFE
    depends_on:
      - bmysql
@@ -114,8 +112,6 @@ services:

  gui:
    image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest}
-    networks:
-      - bouldernet
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./docker-compose.yml:/opt/boulder/docker-compose.yml
@@ -125,6 +121,8 @@ services:
      - boulder_data:/opt/boulder/labca
      - certificates:/opt/boulder/labca/certs
      - softhsm:/var/lib/softhsm/tokens
+    networks:
+      - bouldernet
    expose:
      - 3000
    depends_on:
--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index b9a8ac069..71ca7e0be 100644
+index c0c7fc838..12f2cc1e7 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
@@ -11,9 +11,9 @@ index b9a8ac069..71ca7e0be 100644
     build:
       context: test/boulder-tools/
       # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
-@@ -19,11 +19,10 @@ services:
+@@ -18,11 +18,10 @@ services:
+       BOULDER_CONFIG_DIR: labca/config
       GOCACHE: /boulder/.gocache/go-build
-       GOFLAGS: -mod=vendor
     volumes:
 -      - .:/opt/boulder:cached
 -      - /home/labca/boulder_labca:/opt/boulder/labca
@@ -27,7 +27,7 @@ index b9a8ac069..71ca7e0be 100644
     networks:
       bouldernet:
         ipv4_address: 10.77.77.77
-@@ -91,7 +90,8 @@ services:
+@@ -89,7 +88,8 @@ services:
     image: redis:6.2.7
     volumes:
       - ./test/:/test/:cached
@@ -37,7 +37,7 @@ index b9a8ac069..71ca7e0be 100644
     command: redis-server /opt/boulder/labca/redis-ratelimits.config
     networks:
       bouldernet:
-@@ -103,33 +103,35 @@ services:
+@@ -101,24 +101,26 @@ services:
     depends_on:
       - control
     volumes:
@@ -54,8 +54,6 @@ index b9a8ac069..71ca7e0be 100644
   gui:
 -    image: *boulder_tools_image
 +    image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest}
-     networks:
-       - bouldernet
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
 -      - /home/labca/admin:/go/src/labca
@@ -72,8 +70,10 @@ index b9a8ac069..71ca7e0be 100644
 +      - boulder_data:/opt/boulder/labca
 +      - certificates:/opt/boulder/labca/certs
 +      - softhsm:/var/lib/softhsm/tokens
+     networks:
+       - bouldernet
     expose:
-       - 3000
+@@ -126,8 +128,8 @@ services:
     depends_on:
       - bmysql
       - control
@@ -84,7 +84,7 @@ index b9a8ac069..71ca7e0be 100644
     logging:
       driver: "json-file"
       options:
-@@ -146,30 +148,28 @@ services:
+@@ -144,30 +146,28 @@ services:
       - 80:80
       - 443:443
     volumes:
@@ -129,7 +129,7 @@ index b9a8ac069..71ca7e0be 100644
     expose:
       - 3030
     environment:
-@@ -186,6 +186,15 @@ services:
+@@ -184,6 +184,15 @@ services:
 
 volumes:
   dbdata:
--- a/build/tmp2.patch
+++ b/build/tmp2.patch
@@ -1,11 +1,11 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index e4645852a..b988b48fe 100644
+index df82abbf8..08720c37e 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -190,6 +190,9 @@ processes = []
+@@ -186,6 +186,9 @@ processes = []
 challSrvProcess = None
 
- def install(race_detection):
+ def install(race_detection, coverage=False):
 +    return True
 +
 +def installOriginal(race_detection):
--- a/2
+++ b/2
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="v0.20250728.0"
+boulderTag="v0.20250902.0"

 #
 # Color configuration
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -15,7 +15,6 @@ $SUDO patch -p1 -o "$boulderLabCADir/entrypoint.sh" < $cloneDir/patches/entrypoi
 cp test/startservers.py "$boulderLabCADir/startservers.py"

 $SUDO patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/patches/config_bad-key-revoker.patch
-$SUDO patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/patches/config_ocsp-responder.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/config_publisher.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch
@@ -36,12 +35,9 @@ perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\"
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-c.json
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json

-perl -i -p0e "s/\n    \"redis\": \{\n.*?    \},//igs" $boulderLabCADir/config/ocsp-responder.json
-
 for f in $(grep -l boulder-proxysql $boulderLabCADir/secrets/*); do sed -i -e "s/proxysql:6033/mysql:3306/" $f; done

 cd "$boulderLabCADir"
-sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/certs/webpki/issuer-01-cert.pem|" config/ocsp-responder.json
 sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/certs/webpki/issuer-01-cert.pem|" config/publisher.json
 sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/certs/webpki/issuer-01-cert.pem|" config/ca.json
 sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/certs/webpki/issuer-01-cert.pem|" config/wfe2.json
@@ -57,7 +53,6 @@ sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/certs/webpki/root-01-cert
 sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/certs/webpki/root-01-cert.pem|" helpers.py
 sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json
 sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json
-sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-a.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-b.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-c.json
@@ -75,11 +70,7 @@ perl -i -p0e "s/(services {\s*id\s*=\s*\"bredis4\".*?}\n\n)//igs" consul/config.
 sed -i -e "s|test/certs|/opt/boulder/labca/certs|" consul/config.hcl
 sed -i -e "s|/test/certs|/opt/boulder/labca/certs|" redis-ratelimits.config

-perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"shardAddrs\": {)/\1\2\1\"db\": 0,\1\3/igs" config/ocsp-responder.json
-perl -i -p0e "s/(\"shardAddrs\": {\n)(\s*).*?(\s*},)/\1\2\"shard1\": \"10.33.33.4:4218\"\3/igs" config/ocsp-responder.json
 perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"lookups\": \[)/\1\2\1\"db\": 1,\1\3/igs" config/ra.json
-perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"shardAddrs\": {)/\1\2\1\"db\": 0,\1\3/igs" config/rocsp-tool.json
-perl -i -p0e "s/(\"shardAddrs\": {\n)(\s*).*?(\s*},)/\1\2\"shard1\": \"10.33.33.4:4218\"\3/igs" config/rocsp-tool.json
 perl -i -p0e "s/,(\s*)(\"passwordFile\":.*?,).*(\"lookups\": \[)/,\1\2\1\"db\": 1,\1\3/igs" config/wfe2.json

 for file in `find . -type f | grep -v .git`; do
--- a/patch.sh
+++ b/patch.sh
@@ -14,6 +14,7 @@ if [ "$SUDO" == "" ]; then
    $SUDO patch -p1 < $cloneDir/build/tmp.patch
 fi

+$SUDO patch -p1 < $cloneDir/patches/admin_overrides_add.patch
 $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/bdns_dns.patch
 $SUDO patch -p1 < $cloneDir/patches/boulder-ra_main.patch
@@ -29,7 +30,6 @@ $SUDO patch -p1 < $cloneDir/patches/ceremony_rsa.patch
 $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/cmd_config.patch
 $SUDO patch -p1 < $cloneDir/patches/config_duration.patch
-$SUDO patch -p1 < $cloneDir/patches/config_rocsp_config.patch
 $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch
 $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch
 $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch
@@ -44,23 +44,22 @@ $SUDO patch -p1 < $cloneDir/patches/log_prod_prefix.patch
 $SUDO patch -p1 < $cloneDir/patches/log_test_prefix.patch
 $SUDO patch -p1 < $cloneDir/patches/log_validator_validator.patch
 $SUDO patch -p1 < $cloneDir/patches/makefile.patch
-$SUDO patch -p1 < $cloneDir/patches/ocsp-responder_main.patch
 $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch
 $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
 $SUDO patch -p1 < $cloneDir/patches/redis_config.patch
 $SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch
 $SUDO patch -p1 < $cloneDir/patches/reversed-hostname-checker_main.patch
+$SUDO patch -p1 < $cloneDir/patches/sfe_overrides.patch
+$SUDO patch -p1 < $cloneDir/patches/sfe_templates_layout.patch
 $SUDO patch -p1 < $cloneDir/patches/start.patch
+$SUDO patch -p1 < $cloneDir/patches/storer_storer.patch
+$SUDO patch -p1 < $cloneDir/patches/test_health-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/test_startservers.patch
 if [ "$SUDO" == "" ]; then
    # TODO: should include this into startservers.patch
    $SUDO patch -p1 < $cloneDir/build/tmp2.patch
 fi
-$SUDO patch -p1 < $cloneDir/patches/sfe_templates_layout.patch
-$SUDO patch -p1 < $cloneDir/patches/storer_storer.patch
-$SUDO patch -p1 < $cloneDir/patches/test_health-checker_main.patch
-$SUDO patch -p1 < $cloneDir/patches/test_ocsp_helper_helper.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_updater.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_continuous.patch
 $SUDO patch -p1 < $cloneDir/patches/va_http.patch
--- a/patches/admin_overrides_add.patch
+++ b/patches/admin_overrides_add.patch
@@ -0,0 +1,17 @@
+diff --git a/cmd/admin/overrides_add.go b/cmd/admin/overrides_add.go
+index 6c217b0a1..0955b4256 100644
+--- a/cmd/admin/overrides_add.go
+++ b/cmd/admin/overrides_add.go
+@@ -51,7 +51,11 @@ func validateIdentifiers(idents ...identifier.ACMEIdentifier) error {
+ 	for _, ident := range idents {
+ 		switch ident.Type {
+ 		case identifier.TypeDNS:
+-			err := policy.ValidDomain(ident.Value)
+			pa, err := policy.New(map[identifier.IdentifierType]bool{"dns": true}, nil, nil)
+			if err != nil {
+				return fmt.Errorf("cannot create policy authority implementation")
+			}
+			err = pa.ValidDomain(ident.Value)
+ 			if err != nil {
+ 				return fmt.Errorf("invalid domain %s: %s", ident.Value, err)
+ 			}
--- a/patches/boulder-ra_main.patch
+++ b/patches/boulder-ra_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
-index 9aa809e42..0facecca5 100644
+index dd30f78cd..a3b6c2e88 100644
 --- a/cmd/boulder-ra/main.go
 +++ b/cmd/boulder-ra/main.go
-@@ -270,6 +270,8 @@ func main() {
+@@ -268,6 +268,8 @@ func main() {
 		limiterRedis, err = bredis.NewRingFromConfig(*c.RA.Limiter.Redis, scope, logger)
 		cmd.FailOnError(err, "Failed to create Redis ring")
 
--- a/patches/boulder-va_main.patch
+++ b/patches/boulder-va_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index 5086a3923..f557f33b0 100644
+index dd3fe9b39..5f6325f51 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -53,6 +53,7 @@ type Config struct {
+@@ -54,6 +54,7 @@ type Config struct {
 		// Deprecated and ignored
 		MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"`
 		Features                    features.Config
@@ -10,8 +10,8 @@ index 5086a3923..f557f33b0 100644
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -82,12 +83,16 @@ func main() {
- 	clk := cmd.Clock()
+@@ -83,12 +84,16 @@ func main() {
+ 	clk := clock.New()
 
 	var servers bdns.ServerProvider
 +	proto := "udp"
--- a/patches/ca_ca.patch
+++ b/patches/ca_ca.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index f8caf76fb..400d2b613 100644
+index 4f5c863e0..8e4d57233 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -171,10 +171,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -170,10 +170,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 		}
 	}
 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
--- a/patches/ca_ca_keytype_hack.patch
+++ b/patches/ca_ca_keytype_hack.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index 400d2b613..09e651a96 100644
+index 8e4d57233..8a95367ac 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -171,10 +171,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -170,10 +170,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 		}
 	}
 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
--- a/patches/ceremony_crl.patch
+++ b/patches/ceremony_crl.patch
@@ -1,13 +1,23 @@
 diff --git a/cmd/ceremony/crl.go b/cmd/ceremony/crl.go
-index 98790d906..4de35ae5c 100644
+index cde31023d..ab5d30aff 100644
 --- a/cmd/ceremony/crl.go
 +++ b/cmd/ceremony/crl.go
-@@ -42,7 +42,7 @@ func generateCRL(signer crypto.Signer, issuer *x509.Certificate, thisUpdate, nex
+@@ -7,6 +7,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"math/big"
+	"slices"
+ 	"time"
+ 
+ 	"github.com/letsencrypt/boulder/crl/idp"
+@@ -42,6 +43,10 @@ func generateCRL(signer crypto.Signer, issuer *x509.Certificate, thisUpdate, nex
 	}
 	template.ExtraExtensions = append(template.ExtraExtensions, *idp)
 
-	err = linter.CheckCRL(template, issuer, signer, []string{})
-+	err = linter.CheckCRL(template, issuer, signer, []string{"e_crl_next_update_invalid"})
+	if !slices.Contains(skipLints, "e_crl_next_update_invalid") {
+		skipLints = append(skipLints, "e_crl_next_update_invalid")
+	}
+
+ 	err = linter.CheckCRL(template, issuer, signer, skipLints)
 	if err != nil {
 		return nil, fmt.Errorf("crl failed pre-issuance lint: %w", err)
- 	}
--- a/patches/ceremony_main.patch
+++ b/patches/ceremony_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/ceremony/main.go b/cmd/ceremony/main.go
-index 12cc9249c..8ac5af0a3 100644
+index 1a2cde645..193d7e325 100644
 --- a/cmd/ceremony/main.go
 +++ b/cmd/ceremony/main.go
@@ -98,6 +98,7 @@ type keyGenConfig struct {
@@ -33,7 +33,7 @@ index 12cc9249c..8ac5af0a3 100644
 	}
 	err = checkOutputFile(rc.Outputs.CertificatePath, "certificate-path")
 	if err != nil {
-@@ -629,23 +633,42 @@ func rootCeremony(configBytes []byte) error {
+@@ -630,23 +634,42 @@ func rootCeremony(configBytes []byte) error {
 		return fmt.Errorf("failed to setup session and PKCS#11 context for slot %d: %s", config.PKCS11.StoreSlot, err)
 	}
 	log.Printf("Opened PKCS#11 session for slot %d\n", config.PKCS11.StoreSlot)
--- a/patches/cmd_config.patch
+++ b/patches/cmd_config.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/config.go b/cmd/config.go
-index 29649639f..776ebb5f2 100644
+index 9c7f2dc4a..087cd0652 100644
 --- a/cmd/config.go
 +++ b/cmd/config.go
-@@ -462,7 +462,7 @@ type GRPCServerConfig struct {
+@@ -440,7 +440,7 @@ type GRPCServerConfig struct {
 	// this controls how long it takes before a client learns about changes to its
 	// backends.
 	// https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters
--- a/patches/config_ocsp-responder.patch
+++ b/patches/config_ocsp-responder.patch
@@ -1,41 +0,0 @@
-diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
-index 1e5d4cb70..e56719c21 100644
--- a/test/config/ocsp-responder.json
-+++ b/test/config/ocsp-responder.json
-@@ -4,22 +4,6 @@
- 			"dbConnectFile": "test/secrets/ocsp_responder_dburl",
- 			"maxOpenConns": 10
- 		},
-		"redis": {
-			"username": "ocsp-responder",
-			"passwordFile": "test/secrets/ocsp_responder_redis_password",
-			"shardAddrs": {
-				"shard1": "10.77.77.2:4218",
-				"shard2": "10.77.77.3:4218"
-			},
-			"timeout": "5s",
-			"poolSize": 100,
-			"routeRandomly": true,
-			"tls": {
-				"caCertFile": "test/certs/ipki/minica.pem",
-				"certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
-				"keyFile": "test/certs/ipki/ocsp-responder.boulder/key.pem"
-			}
-		},
- 		"tls": {
- 			"caCertFile": "test/certs/ipki/minica.pem",
- 			"certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
-@@ -49,12 +33,7 @@
- 		"path": "/",
- 		"listenAddress": "0.0.0.0:4002",
- 		"issuerCerts": [
-			"test/certs/webpki/int-rsa-a.cert.pem",
-			"test/certs/webpki/int-rsa-b.cert.pem",
-			"test/certs/webpki/int-rsa-c.cert.pem",
-			"test/certs/webpki/int-ecdsa-a.cert.pem",
-			"test/certs/webpki/int-ecdsa-b.cert.pem",
-			"test/certs/webpki/int-ecdsa-c.cert.pem"
-+			"test/certs/webpki/int-rsa-a.cert.pem"
- 		],
- 		"liveSigningPeriod": "60h",
- 		"timeout": "4.9s",
--- a/patches/config_ra.patch
+++ b/patches/config_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/ra.json b/test/config/ra.json
-index ade9fcc1c..994fa031a 100644
+index 1cecd4772..39b9f6284 100644
 --- a/test/config/ra.json
 +++ b/test/config/ra.json
@@ -3,7 +3,8 @@
@@ -58,7 +58,7 @@ index ade9fcc1c..994fa031a 100644
 		},
 		"vaService": {
 			"dnsAuthority": "consul.service.consul",
-@@ -164,7 +160,7 @@
+@@ -153,7 +149,7 @@
 		},
 		"ctLogs": {
 			"stagger": "500ms",
--- a/patches/config_rocsp_config.patch
+++ b/patches/config_rocsp_config.patch
@@ -1,21 +0,0 @@
-diff --git a/rocsp/config/rocsp_config.go b/rocsp/config/rocsp_config.go
-index c5416a499..d23091b53 100644
--- a/rocsp/config/rocsp_config.go
-+++ b/rocsp/config/rocsp_config.go
-@@ -31,6 +31,8 @@ type RedisConfig struct {
- 	TLS cmd.TLSConfig
- 	// Username is a Redis username.
- 	Username string `validate:"required"`
-+	// DB is the database number in Redis
-+	DB int `validate:"min=0"`
- 	// ShardAddrs is a map of shard names to IP address:port pairs. The go-redis
- 	// `Ring` client will shard reads and writes across the provided Redis
- 	// Servers based on a consistent hashing algorithm.
-@@ -114,6 +116,7 @@ func MakeClient(c *RedisConfig, clk clock.Clock, stats prometheus.Registerer) (*
- 
- 	rdb := redis.NewRing(&redis.RingOptions{
- 		Addrs:     c.ShardAddrs,
-+		DB:        c.DB,
- 		Username:  c.Username,
- 		Password:  password,
- 		TLSConfig: tlsConfig,
--- a/patches/crl-storer_main.patch
+++ b/patches/crl-storer_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/crl-storer/main.go b/cmd/crl-storer/main.go
-index 4dddfaa9f..8dcf40bbc 100644
+index 8753d858f..87c11e1fc 100644
 --- a/cmd/crl-storer/main.go
 +++ b/cmd/crl-storer/main.go
-@@ -46,6 +46,9 @@ type Config struct {
+@@ -47,6 +47,9 @@ type Config struct {
 		// https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html.
 		AWSCredsFile string
 
@@ -12,7 +12,7 @@ index 4dddfaa9f..8dcf40bbc 100644
 		Features features.Config
 	}
 
-@@ -129,7 +132,7 @@ func main() {
+@@ -130,7 +133,7 @@ func main() {
 	}
 	s3client := s3.NewFromConfig(awsConfig, s3opts...)
 
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 8092b1522..b9a8ac069 100644
+index 2e2ff2746..c0c7fc838 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
@@ -1,3 +1,4 @@
@@ -7,14 +7,13 @@ index 8092b1522..b9a8ac069 100644
 services:
   boulder:
     # The `letsencrypt/boulder-tools:latest` tag is automatically built in local
-@@ -14,13 +15,15 @@ services:
+@@ -14,12 +15,14 @@ services:
       # to the IP address where your ACME client's solver is listening. This is
       # pointing at the boulder service's "public" IP, where challtestsrv is.
       FAKE_DNS: 64.112.117.122
 -      BOULDER_CONFIG_DIR: test/config
 +      BOULDER_CONFIG_DIR: labca/config
       GOCACHE: /boulder/.gocache/go-build
-       GOFLAGS: -mod=vendor
     volumes:
 -      - .:/boulder:cached
 +      - .:/opt/boulder:cached
@@ -26,15 +25,13 @@ index 8092b1522..b9a8ac069 100644
     networks:
       bouldernet:
         ipv4_address: 10.77.77.77
-@@ -53,122 +56,136 @@ services:
+@@ -51,98 +54,136 @@ services:
       - 4003:4003 # SFE
     depends_on:
       - bmysql
 -      - bproxysql
 -      - bredis_1
 -      - bredis_2
-      - bredis_3
-      - bredis_4
 +      - bredis
       - bconsul
 -      - bjaeger
@@ -84,12 +81,7 @@ index 8092b1522..b9a8ac069 100644
 +    command: mysqld --bind-address=0.0.0.0 --log-output=TABLE
     logging:
 -      driver: none
-+      driver: "json-file"
-+      options:
-+        max-size: "500k"
-+        max-file: "5"
-+    restart: always
- 
+-
 -  bproxysql:
 -    image: proxysql/proxysql:2.5.4
 -    # The --initial flag force resets the ProxySQL database on startup. By
@@ -105,62 +97,53 @@ index 8092b1522..b9a8ac069 100644
 -      bouldernet:
 -        aliases:
 -          - boulder-proxysql
-
+      driver: "json-file"
+      options:
+        max-size: "500k"
+        max-file: "5"
+    restart: always
+ 
 -  bredis_1:
 +  bredis:
     image: redis:6.2.7
     volumes:
       - ./test/:/test/:cached
-    command: redis-server /test/redis-ocsp.config
+-    command: redis-server /test/redis-ratelimits.config
 +      - /home/labca/boulder_labca:/opt/boulder/labca
 +    command: redis-server /opt/boulder/labca/redis-ratelimits.config
     networks:
       bouldernet:
-        # TODO(#8215): Remove this static IP allocation (and similar below) when
-        # we tear down ocsp-responder. We only have it because ocsp-responder
-        # requires IPs in its "ShardAddrs" config, while ratelimit redis
-        # supports looking up shards via hostname and SRV record.
-        ipv4_address: 10.77.77.2
-+        ipv4_address: 10.77.77.4
-+    restart: always
- 
+         ipv4_address: 10.77.77.4
+-
 -  bredis_2:
 -    image: redis:6.2.7
-+  bconsul:
-+    image: hashicorp/consul:1.15.4
-+    depends_on:
-+      - control
-     volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-ocsp.config
-+      - /home/labca/boulder_labca:/opt/boulder/labca
-     networks:
-       bouldernet:
-        ipv4_address: 10.77.77.3
-+        ipv4_address: 10.77.77.10
-+    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
-+    restart: always
- 
-  bredis_3:
-    image: redis:6.2.7
 -    volumes:
 -      - ./test/:/test/:cached
 -    command: redis-server /test/redis-ratelimits.config
-+  gui:
-+    image: *boulder_tools_image
-     networks:
-      bouldernet:
-        ipv4_address: 10.77.77.4
-
-  bredis_4:
-    image: redis:6.2.7
-+      - bouldernet
-     volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-ratelimits.config
 -    networks:
 -      bouldernet:
 -        ipv4_address: 10.77.77.5
+    restart: always
+ 
+   bconsul:
+     image: hashicorp/consul:1.15.4
+    depends_on:
+      - control
+     volumes:
+-     - ./test/:/test/:cached
+      - /home/labca/boulder_labca:/opt/boulder/labca
+     networks:
+       bouldernet:
+         ipv4_address: 10.77.77.10
+-    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
+    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
+    restart: always
+ 
+-  bjaeger:
+-    image: jaegertracing/all-in-one:1.50
+  gui:
+    image: *boulder_tools_image
+    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin:/go/src/labca
 +      - ./.gocache:/root/.cache/go-build
@@ -169,6 +152,8 @@ index 8092b1522..b9a8ac069 100644
 +      - .:/opt/boulder
 +      - /home/labca/boulder_labca:/opt/boulder/labca
 +      - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/
+     networks:
+       - bouldernet
 +    expose:
 +      - 3000
 +    depends_on:
@@ -182,18 +167,11 @@ index 8092b1522..b9a8ac069 100644
 +        max-size: "500k"
 +        max-file: "5"
 +    restart: always
- 
-  bconsul:
-    image: hashicorp/consul:1.15.4
-    volumes:
-     - ./test/:/test/:cached
+
 +  nginx:
 +    image: nginx:latest
 +    restart: always
-     networks:
-      bouldernet:
-        ipv4_address: 10.77.77.10
-    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
+    networks:
 +      - bouldernet
 +    ports:
 +      - 80:80
@@ -204,13 +182,11 @@ index 8092b1522..b9a8ac069 100644
 +      - /home/labca/nginx_data/static:/var/www/html
 +    depends_on:
 +      - control
- 
-  bjaeger:
-    image: jaegertracing/all-in-one:1.50
+
 +  control:
 +    image: *boulder_tools_image
-     networks:
-       - bouldernet
+    networks:
+      - bouldernet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin/data:/opt/labca/data
--- a/patches/issuance_issuer.patch
+++ b/patches/issuance_issuer.patch
@@ -1,8 +1,8 @@
 diff --git a/issuance/issuer.go b/issuance/issuer.go
-index 95d2f03a7..c3129fe97 100644
+index e89143ea0..ec328c9df 100644
 --- a/issuance/issuer.go
 +++ b/issuance/issuer.go
-@@ -161,7 +161,7 @@ type IssuerConfig struct {
+@@ -149,7 +149,7 @@ type IssuerConfig struct {
 	Active bool
 
 	IssuerURL  string `validate:"required,url"`
@@ -11,7 +11,7 @@ index 95d2f03a7..c3129fe97 100644
 
 	// TODO(#8177): Remove this.
 	OCSPURL string `validate:"omitempty,url"`
-@@ -248,9 +248,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
+@@ -236,9 +236,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
 	if !strings.HasPrefix(config.CRLURLBase, "http://") {
 		return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase)
 	}
--- a/patches/makefile.patch
+++ b/patches/makefile.patch
@@ -1,13 +1,13 @@
 diff --git a/Makefile b/Makefile
-index 9522b89a7..b5aa9d84a 100644
+index 640ff12bd..486d54685 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -36,7 +36,7 @@ $(CMD_BINS): build_cmds
+@@ -37,7 +37,7 @@ $(CMD_BINS): build_cmds
 
 build_cmds: | $(OBJDIR)
 	echo $(OBJECTS)
-	GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor $(GO_BUILD_FLAGS) ./...
-+	GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor -buildvcs=false $(GO_BUILD_FLAGS) ./...
+-	GOBIN=$(OBJDIR) go install -mod=vendor $(GO_BUILD_FLAGS) ./...
+	GOBIN=$(OBJDIR) go install -mod=vendor -buildvcs=false $(GO_BUILD_FLAGS) ./...
 
 # Building a .deb requires `fpm` from https://github.com/jordansissel/fpm
 # which you can install with `gem install fpm`.
--- a/patches/ocsp-responder_main.patch
+++ b/patches/ocsp-responder_main.patch
@@ -1,42 +0,0 @@
-diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
-index ec03eb05f..1cfe3e20e 100644
--- a/cmd/ocsp-responder/main.go
-+++ b/cmd/ocsp-responder/main.go
-@@ -91,7 +91,7 @@ type Config struct {
- 
- 		// Configuration for using Redis as a cache. This configuration should
- 		// allow for both read and write access.
-		Redis *rocsp_config.RedisConfig `validate:"required_without=Source"`
-+		Redis *rocsp_config.RedisConfig
- 
- 		// TLS client certificate, private key, and trusted root bundle.
- 		TLS cmd.TLSConfig `validate:"required_without=Source,structonly"`
-@@ -165,7 +165,7 @@ as generated by Boulder's ceremony command.
- 		}
- 		source, err = responder.NewMemorySourceFromFile(filename, logger)
- 		cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path))
-	} else {
-+	} else if c.OCSPResponder.Redis != nil {
- 		// Set up the redis source and the combined multiplex source.
- 		rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
- 		cmd.FailOnError(err, "Could not make redis client")
-@@ -209,6 +209,19 @@ as generated by Boulder's ceremony command.
- 
- 		source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
- 		cmd.FailOnError(err, "Could not create checkedRedis source")
-+	} else {
-+		tlsConfig, err := c.OCSPResponder.TLS.Load(scope)
-+		cmd.FailOnError(err, "TLS config")
-+
-+		raConn, err := bgrpc.ClientSetup(c.OCSPResponder.RAService, tlsConfig, scope, clk)
-+		cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
-+		rac := rapb.NewRegistrationAuthorityClient(raConn)
-+
-+		maxInflight := c.OCSPResponder.MaxInflightSignings
-+		if maxInflight == 0 {
-+			maxInflight = 1000
-+		}
-+		source = live.New(rac, int64(maxInflight), c.OCSPResponder.MaxSigningWaiters)
- 	}
- 
- 	// Load the certificate from the file path.
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index ba993179a..04aec2370 100644
+index ad3c496de..b676be83a 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -44,7 +44,6 @@ import (
+@@ -42,7 +42,6 @@ import (
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index ba993179a..04aec2370 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -574,7 +573,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -568,7 +567,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 		if !core.IsASCII(contact) {
 			return berrors.InvalidEmailError("contact email contains non-ASCII characters")
 		}
@@ -19,7 +19,7 @@ index ba993179a..04aec2370 100644
 		if err != nil {
 			return err
 		}
-@@ -1895,6 +1894,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
+@@ -1854,6 +1853,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
 		return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url)
 	}
 	shardStr := url[lastIndex+1:]
--- a/patches/ratelimits_names.patch
+++ b/patches/ratelimits_names.patch
@@ -1,9 +1,9 @@
 diff --git a/ratelimits/names.go b/ratelimits/names.go
-index 1ce3c514c..6f72b517c 100644
+index cc32e49b6..099de902d 100644
 --- a/ratelimits/names.go
 +++ b/ratelimits/names.go
-@@ -114,6 +114,9 @@ var nameToString = map[Name]string{
- 	FailedAuthorizationsForPausingPerDomainPerAccount: "FailedAuthorizationsForPausingPerDomainPerAccount",
+@@ -120,6 +120,9 @@ var nameToString = map[Name]string{
+ 	LimitOverrideRequestsPerIPAddress:                 "LimitOverrideRequestsPerIPAddress",
 }
 
 +// Policy Authority singleton
@@ -12,7 +12,7 @@ index 1ce3c514c..6f72b517c 100644
 // isValid returns true if the Name is a valid rate limit name.
 func (n Name) isValid() bool {
 	return n > Unknown && n < Name(len(nameToString))
-@@ -195,7 +198,14 @@ func validateRegIdIdentValue(id string) error {
+@@ -201,7 +204,14 @@ func validateRegIdIdentValue(id string) error {
 		return fmt.Errorf(
 			"invalid regId, %q must be formatted 'regId:identValue'", id)
 	}
@@ -28,7 +28,7 @@ index 1ce3c514c..6f72b517c 100644
 	if domainErr != nil {
 		ipErr := policy.ValidIP(regIdIdentValue[1])
 		if ipErr != nil {
-@@ -209,7 +219,15 @@ func validateRegIdIdentValue(id string) error {
+@@ -215,7 +225,15 @@ func validateRegIdIdentValue(id string) error {
 // name or an IP address. IPv6 addresses must be the lowest address in their
 // /64, i.e. their last 64 bits must be zero.
 func validateDomainOrCIDR(limit Name, id string) error {
@@ -45,7 +45,7 @@ index 1ce3c514c..6f72b517c 100644
 	if domainErr == nil {
 		// This is a valid domain.
 		return nil
-@@ -264,8 +282,16 @@ func validateFQDNSet(id string) error {
+@@ -270,8 +288,16 @@ func validateFQDNSet(id string) error {
 		return fmt.Errorf(
 			"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
 	}
--- a/patches/remoteva_main.patch
+++ b/patches/remoteva_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
-index f4c0cbe76..1f454f489 100644
+index d049ba126..16fdca8a4 100644
 --- a/cmd/remoteva/main.go
 +++ b/cmd/remoteva/main.go
-@@ -57,7 +57,8 @@ type Config struct {
+@@ -59,7 +59,8 @@ type Config struct {
 		// For more information, see: https://pkg.go.dev/crypto/tls#ClientAuthType
 		SkipGRPCClientCertVerification bool
 
@@ -12,8 +12,8 @@ index f4c0cbe76..1f454f489 100644
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -87,12 +88,16 @@ func main() {
- 	clk := cmd.Clock()
+@@ -89,12 +90,16 @@ func main() {
+ 	clk := clock.New()
 
 	var servers bdns.ServerProvider
 +	proto := "udp"
@@ -30,7 +30,7 @@ index f4c0cbe76..1f454f489 100644
 		cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
 	}
 	defer servers.Stop()
-@@ -138,7 +143,8 @@ func main() {
+@@ -140,7 +145,8 @@ func main() {
 		c.RVA.AccountURIPrefixes,
 		c.RVA.Perspective,
 		c.RVA.RIR,
--- a/patches/sfe_overrides.patch
+++ b/patches/sfe_overrides.patch
@@ -0,0 +1,38 @@
+diff --git a/sfe/overrides.go b/sfe/overrides.go
+index 8eb024aed..20687c2bd 100644
+--- a/sfe/overrides.go
+++ b/sfe/overrides.go
+@@ -13,6 +13,7 @@ import (
+ 
+ 	berrors "github.com/letsencrypt/boulder/errors"
+ 	"github.com/letsencrypt/boulder/iana"
+	"github.com/letsencrypt/boulder/identifier"
+ 	"github.com/letsencrypt/boulder/policy"
+ 	rl "github.com/letsencrypt/boulder/ratelimits"
+ 	"github.com/letsencrypt/boulder/sfe/forms"
+@@ -356,7 +357,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error
+ 		return nil
+ 
+ 	case emailAddressFieldName:
+-		err := policy.ValidEmail(fieldValue)
+		pa, err := policy.New(map[identifier.IdentifierType]bool{"dns": true}, nil, nil)
+		if err != nil {
+			return fmt.Errorf("cannot create policy authority implementation for email")
+		}
+		err = pa.ValidEmail(fieldValue)
+ 		if err == nil {
+ 			return nil
+ 		}
+@@ -382,7 +387,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error
+ 		return fmt.Errorf("IP address is invalid")
+ 
+ 	case RegisteredDomainFieldName:
+-		err := policy.ValidDomain(fieldValue)
+		pa, err := policy.New(map[identifier.IdentifierType]bool{"dns": true}, nil, nil)
+		if err != nil {
+			return fmt.Errorf("cannot create policy authority implementation")
+		}
+		err = pa.ValidDomain(fieldValue)
+ 		if err != nil {
+ 			return fmt.Errorf("registered domain name is invalid")
+ 		}
--- a/patches/sfe_templates_layout.patch
+++ b/patches/sfe_templates_layout.patch
@@ -1,8 +1,8 @@
 diff --git a/sfe/templates/layout.html b/sfe/templates/layout.html
-index 15d5e88d9..2511e9e13 100644
+index ded5d495f..009aa7de2 100644
 --- a/sfe/templates/layout.html
 +++ b/sfe/templates/layout.html
-@@ -4,8 +4,8 @@
+@@ -4,14 +4,14 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
@@ -10,15 +10,13 @@ index 15d5e88d9..2511e9e13 100644
 -    <link rel="icon" type="image/x-icon" href="/static/favicon.ico">
 +    <title>Self-Service Portal | LabCA</title>
 +    <link rel="icon" type="image/png" href="/img/fav-public.png">
-     <style>
-         * {
-             font-family: system-ui, sans-serif;
-@@ -99,7 +99,7 @@
+     <link rel="stylesheet" href="/static/style.css">
+ </head>
 <body>
     <div class="header">
         <div class="container">
-            <img src="/static/logo.svg" alt="Let's Encrypt" style="height: 50px;">
-+             <a class="navbar-brand" href="/" style="text-decoration: none;color:  #777;font-size: 18px;font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif;padding: 10px 20px;"><!-- BEGIN WEBTITLE -->LabCA<!-- END WEBTITLE --></a>
+-            <img src="/static/logo.svg" alt="Let's Encrypt" id="logo">
+            <a class="navbar-brand" href="/" style="text-decoration: none;color:  #777;font-size: 18px;font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif;padding: 10px 20px;"><!-- BEGIN WEBTITLE -->LabCA<!-- END WEBTITLE --></a>
         </div>
     </div>
 {{ end }}
--- a/patches/start.patch
+++ b/patches/start.patch
@@ -1,5 +1,5 @@
 diff --git a/start.py b/start.py
-index f224b9e6c..017fe5cd5 100755
+index 2c59f04d4..8fb9282d8 100755
 --- a/start.py
 +++ b/start.py
@@ -20,6 +20,11 @@ import startservers
@@ -11,6 +11,6 @@ index f224b9e6c..017fe5cd5 100755
 +    print(f"Waiting for '{fl}' to appear...")
 +    time.sleep(30)
 +
- if not startservers.start(fakeclock=None):
+ if not startservers.start():
     sys.exit(1)
 try:
--- a/patches/test_certs_generate.patch
+++ b/patches/test_certs_generate.patch
@@ -1,8 +1,8 @@
 diff --git a/test/certs/generate.sh b/test/certs/generate.sh
-index f6ef272d3..bfc60f293 100755
+index 6038ace4e..728f49df6 100755
 --- a/test/certs/generate.sh
 +++ b/test/certs/generate.sh
-@@ -63,16 +63,50 @@ webpki() (
+@@ -62,16 +62,50 @@ webpki() (
   # This function executes in a subshell, so this cd does not affect the parent
   # script.
   cd ../..
--- a/patches/test_config_ca.patch
+++ b/patches/test_config_ca.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/ca.json b/test/config/ca.json
-index 6e60285a5..672cb29ce 100644
+index 477f82b12..9512d98b0 100644
 --- a/test/config/ca.json
 +++ b/test/config/ca.json
@@ -1,11 +1,11 @@
@@ -18,7 +18,7 @@ index 6e60285a5..672cb29ce 100644
 		"grpcCA": {
 			"maxConnectionAge": "30s",
 			"address": ":9093",
-@@ -64,7 +64,8 @@
+@@ -59,7 +59,8 @@
 					"includeCRLDistributionPoints": true,
 					"maxValidityPeriod": "7776000s",
 					"maxValidityBackdate": "1h5m",
@@ -28,7 +28,7 @@ index 6e60285a5..672cb29ce 100644
 					"ignoredLints": [
 						"w_subject_common_name_included",
 						"e_dnsname_not_valid_tld",
-@@ -81,7 +82,8 @@
+@@ -76,7 +77,8 @@
 					"includeCRLDistributionPoints": true,
 					"maxValidityPeriod": "160h",
 					"maxValidityBackdate": "1h5m",
@@ -38,7 +38,7 @@ index 6e60285a5..672cb29ce 100644
 					"ignoredLints": [
 						"w_ext_subject_key_identifier_missing_sub_cert",
 						"e_dnsname_not_valid_tld"
-@@ -97,7 +99,7 @@
+@@ -92,7 +94,7 @@
 					"includeCRLDistributionPoints": true,
 					"maxValidityPeriod": "583200s",
 					"maxValidityBackdate": "1h5m",
@@ -47,7 +47,7 @@ index 6e60285a5..672cb29ce 100644
 					"ignoredLints": [
 						"w_ext_subject_key_identifier_missing_sub_cert",
 						"e_dnsname_not_valid_tld"
-@@ -107,78 +109,19 @@
+@@ -102,72 +104,17 @@
 			"crlProfile": {
 				"validityInterval": "216h",
 				"maxBackdate": "1h5m",
@@ -59,7 +59,6 @@ index 6e60285a5..672cb29ce 100644
 					"active": true,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
-					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-ecdsa-a.pkcs11.json",
@@ -71,7 +70,6 @@ index 6e60285a5..672cb29ce 100644
 -					"active": true,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-b",
-					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/17302365692836921/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-ecdsa-b.pkcs11.json",
@@ -83,7 +81,6 @@ index 6e60285a5..672cb29ce 100644
 -					"active": false,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-c",
-					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56560759852043581/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-ecdsa-c.pkcs11.json",
@@ -93,10 +90,9 @@ index 6e60285a5..672cb29ce 100644
 -				},
 -				{
 -					"active": true,
+-					"crlShards": 10,
 +					"crlShards": 1,
- 					"crlShards": 10,
 					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
- 					"ocspURL": "http://ca.example.org:4002/",
 					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/",
 					"location": {
 -						"configFile": "test/certs/webpki/int-rsa-a.pkcs11.json",
@@ -108,7 +104,6 @@ index 6e60285a5..672cb29ce 100644
 -					"active": true,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-rsa-b",
-					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/6762885421992935/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-rsa-b.pkcs11.json",
@@ -120,7 +115,6 @@ index 6e60285a5..672cb29ce 100644
 -					"active": false,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-rsa-c",
-					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56183656833365902/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-rsa-c.pkcs11.json",
@@ -130,7 +124,7 @@ index 6e60285a5..672cb29ce 100644
 						"numSessions": 2
 					}
 				}
-@@ -190,7 +133,7 @@
+@@ -179,7 +126,7 @@
 		"goodkey": {},
 		"ocspLogMaxLength": 4000,
 		"ocspLogPeriod": "500ms",
@@ -139,7 +133,7 @@ index 6e60285a5..672cb29ce 100644
 		"features": {}
 	},
 	"pa": {
-@@ -205,7 +148,7 @@
+@@ -194,7 +141,7 @@
 		}
 	},
 	"syslog": {
--- a/patches/test_health-checker_main.patch
+++ b/patches/test_health-checker_main.patch
@@ -1,9 +1,9 @@
 diff --git a/test/health-checker/main.go b/test/health-checker/main.go
-index 0331d59e5..d2f9fbbd9 100644
+index addb669bb..119867d6f 100644
 --- a/test/health-checker/main.go
 +++ b/test/health-checker/main.go
-@@ -56,7 +56,7 @@ func main() {
- 	clk := cmd.Clock()
+@@ -57,7 +57,7 @@ func main() {
+ 	clk := clock.New()
 
 	// Health check retry and timeout.
 -	ticker := time.NewTicker(100 * time.Millisecond)
--- a/patches/test_ocsp_helper_helper.patch
+++ b/patches/test_ocsp_helper_helper.patch
@@ -1,21 +0,0 @@
-diff --git a/test/ocsp/helper/helper.go b/test/ocsp/helper/helper.go
-index 469c8cec1..0b2852330 100644
--- a/test/ocsp/helper/helper.go
-+++ b/test/ocsp/helper/helper.go
-@@ -15,6 +15,7 @@ import (
- 	"net/http"
- 	"net/url"
- 	"os"
-+	"path"
- 	"strings"
- 	"sync"
- 	"time"
-@@ -327,7 +328,7 @@ func sendHTTPRequest(
- 	var httpRequest *http.Request
- 	var err error
- 	if method == "GET" {
-		ocspURL.Path = encodedReq
-+		ocspURL.Path = path.Join(ocspURL.Path, encodedReq)
- 		fmt.Fprintf(output, "Fetching %s\n", ocspURL.String())
- 		httpRequest, err = http.NewRequest("GET", ocspURL.String(), http.NoBody)
- 	} else if method == "POST" {
--- a/patches/test_startservers.patch
+++ b/patches/test_startservers.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index 4e2ce1b24..e4645852a 100644
+index 9a46c7db2..df82abbf8 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -86,6 +86,10 @@ SERVICES = (
+@@ -77,6 +77,10 @@ SERVICES = (
         9667, None, None,
         ('./bin/boulder', 'crl-storer', '--config', os.path.join(config_dir, 'crl-storer.json'), '--addr', ':9309', '--debug-addr', ':9667'),
         ('s3-test-srv',)),
--- a/patches/wfe2_main.patch
+++ b/patches/wfe2_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
-index 955fe406c..ae127564e 100644
+index cc5930699..8e1a14c3c 100644
 --- a/cmd/boulder-wfe2/main.go
 +++ b/cmd/boulder-wfe2/main.go
-@@ -12,14 +12,17 @@ import (
+@@ -14,14 +14,17 @@ import (
 
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/config"
@@ -20,7 +20,7 @@ index 955fe406c..ae127564e 100644
 	rapb "github.com/letsencrypt/boulder/ra/proto"
 	"github.com/letsencrypt/boulder/ratelimits"
 	bredis "github.com/letsencrypt/boulder/redis"
-@@ -99,7 +102,7 @@ type Config struct {
+@@ -101,7 +104,7 @@ type Config struct {
 		// DirectoryCAAIdentity is used for the /directory response's "meta"
 		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
 		// configuration value (this value is the one used to enforce CAA)
@@ -29,7 +29,7 @@ index 955fe406c..ae127564e 100644
 		// DirectoryWebsite is used for the /directory response's "meta" element's
 		// "website" field.
 		DirectoryWebsite string `validate:"required,url"`
-@@ -180,6 +183,8 @@ type Config struct {
+@@ -182,6 +185,8 @@ type Config struct {
 			// to enable the pausing feature.
 			URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"`
 		}
@@ -38,7 +38,7 @@ index 955fe406c..ae127564e 100644
 	}
 
 	Syslog        cmd.SyslogConfig
-@@ -324,11 +329,25 @@ func main() {
+@@ -326,11 +331,25 @@ func main() {
 	var limiter *ratelimits.Limiter
 	var txnBuilder *ratelimits.TransactionBuilder
 	var limiterRedis *bredis.Ring
@@ -64,7 +64,7 @@ index 955fe406c..ae127564e 100644
 		source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats)
 		limiter, err = ratelimits.NewLimiter(clk, source, stats)
 		cmd.FailOnError(err, "Failed to create rate limiter")
-@@ -369,6 +388,7 @@ func main() {
+@@ -371,6 +390,7 @@ func main() {
 		unpauseSigner,
 		c.WFE.Unpause.JWTLifetime.Duration,
 		c.WFE.Unpause.URL,
--- a/patches/wfe2_wfe.patch
+++ b/patches/wfe2_wfe.patch
@@ -1,5 +1,5 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index 891d165b6..1a4fda298 100644
+index c225c56f3..294ec463f 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
@@ -166,6 +166,8 @@ type WebFrontEndImpl struct {
@@ -38,7 +38,7 @@ index 891d165b6..1a4fda298 100644
 	}
 
 	return wfe, nil
-@@ -678,7 +686,7 @@ func (wfe *WebFrontEndImpl) contactsToEmails(contacts []string) ([]string, error
+@@ -679,7 +687,7 @@ func (wfe *WebFrontEndImpl) contactsToEmails(contacts []string) ([]string, error
 			return nil, berrors.InvalidEmailError("contact email contains non-ASCII characters")
 		}
 
@@ -47,7 +47,7 @@ index 891d165b6..1a4fda298 100644
 		if err != nil {
 			return nil, err
 		}
-@@ -2299,7 +2307,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2329,7 +2337,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
 	idents = identifier.Normalize(idents)
 	logEvent.Identifiers = idents
 
--- a/utils.sh
+++ b/utils.sh
@@ -4,7 +4,7 @@ set -e

 export PS_LABCA="bin/labca-gui"
 export PS_BOULDER="bin/boulder"
-export PS_BOULDER_COUNT=27
+export PS_BOULDER_COUNT=26
 export PS_MYSQL="mysqld"
 export PS_CONTROL="tcpserver"
 export PS_NGINX="nginx:"