From c23a8762aa8a4717165e011b4a4a4fb5a74bfee8 Mon Sep 17 00:00:00 2001
From: Arjan H <github@hakwerk.com>
Date: Sat, 6 Sep 2025 12:39:43 +0200
Subject: [PATCH] Bump boulder version to v0.20250902.0

---
 .github/workflows/build-standalone.yml |   2 +-
 .github/workflows/golangci-lint.yml    |   2 +-
 .github/workflows/release.yml          |   2 +-
 build/Dockerfile-boulder               |   2 +-
 build/Dockerfile-control               |   2 +-
 build/build.sh                         |   2 +-
 build/docker-compose.yml               |   8 +-
 build/tmp.patch                        |  20 ++---
 build/tmp2.patch                       |   6 +-
 install                                |   2 +-
 patch-cfg.sh                           |   9 ---
 patch.sh                               |  11 ++-
 patches/admin_overrides_add.patch      |  17 ++++
 patches/boulder-ra_main.patch          |   4 +-
 patches/boulder-va_main.patch          |   8 +-
 patches/ca_ca.patch                    |   4 +-
 patches/ca_ca_keytype_hack.patch       |   4 +-
 patches/ceremony_crl.patch             |  20 +++--
 patches/ceremony_main.patch            |   4 +-
 patches/cmd_config.patch               |   4 +-
 patches/config_ocsp-responder.patch    |  41 ----------
 patches/config_ra.patch                |   4 +-
 patches/config_rocsp_config.patch      |  21 -----
 patches/crl-storer_main.patch          |   6 +-
 patches/docker-compose.patch           | 106 ++++++++++---------------
 patches/issuance_issuer.patch          |   6 +-
 patches/makefile.patch                 |   8 +-
 patches/ocsp-responder_main.patch      |  42 ----------
 patches/ra_ra.patch                    |   8 +-
 patches/ratelimits_names.patch         |  12 +--
 patches/remoteva_main.patch            |  10 +--
 patches/sfe_overrides.patch            |  38 +++++++++
 patches/sfe_templates_layout.patch     |  14 ++--
 patches/start.patch                    |   4 +-
 patches/test_certs_generate.patch      |   4 +-
 patches/test_config_ca.patch           |  22 ++---
 patches/test_health-checker_main.patch |   6 +-
 patches/test_ocsp_helper_helper.patch  |  21 -----
 patches/test_startservers.patch        |   4 +-
 patches/wfe2_main.patch                |  12 +--
 patches/wfe2_wfe.patch                 |   6 +-
 utils.sh                               |   2 +-
 42 files changed, 213 insertions(+), 317 deletions(-)
 create mode 100644 patches/admin_overrides_add.patch
 delete mode 100644 patches/config_ocsp-responder.patch
 delete mode 100644 patches/config_rocsp_config.patch
 delete mode 100644 patches/ocsp-responder_main.patch
 create mode 100644 patches/sfe_overrides.patch
 delete mode 100644 patches/test_ocsp_helper_helper.patch

diff --git a/.github/workflows/build-standalone.yml b/.github/workflows/build-standalone.yml
index 70e4a63..1057c22 100644
--- a/.github/workflows/build-standalone.yml
+++ b/.github/workflows/build-standalone.yml
@@ -17,7 +17,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.24.4
+          - 1.25.0
 
     steps:
       - name: Checkout
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 4d0d290..7ec4efb 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -20,7 +20,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.24.4
+          - 1.25.0
 
     steps:
       - uses: actions/checkout@v5
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 10ddb55..51bc915 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.24.4
+          - 1.25.0
 
     steps:
       - name: Checkout
diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder
index 1a67659..1e20814 100644
--- a/build/Dockerfile-boulder
+++ b/build/Dockerfile-boulder
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM letsencrypt/boulder-tools:go1.24.4_2025-06-06 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.25.0_2025-08-15 AS boulder-tools
 
 FROM ubuntu:noble
 
diff --git a/build/Dockerfile-control b/build/Dockerfile-control
index e6bcf8c..14e45fe 100644
--- a/build/Dockerfile-control
+++ b/build/Dockerfile-control
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM letsencrypt/boulder-tools:go1.24.4_2025-06-06 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.25.0_2025-08-15 AS boulder-tools
 
 FROM ubuntu:noble AS builder
 
diff --git a/build/build.sh b/build/build.sh
index d8caaf1..5d89e51 100755
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="v0.20250728.0"
+boulderTag="v0.20250902.0"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 
diff --git a/build/docker-compose.yml b/build/docker-compose.yml
index 965a77f..12f2cc1 100644
--- a/build/docker-compose.yml
+++ b/build/docker-compose.yml
@@ -9,7 +9,7 @@ services:
       context: test/boulder-tools/
       # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
       args:
-        GO_VERSION: 1.24.1
+        GO_VERSION: 1.25.0
     environment:
       # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
       # to the IP address where your ACME client's solver is listening. This is
@@ -17,7 +17,6 @@ services:
       FAKE_DNS: 64.112.117.122
       BOULDER_CONFIG_DIR: labca/config
       GOCACHE: /boulder/.gocache/go-build
-      GOFLAGS: -mod=vendor
     volumes:
       - boulder_data:/opt/boulder/labca
       - certificates:/opt/boulder/labca/certs
@@ -51,7 +50,6 @@ services:
       - "integration.trust:64.112.117.122"
     ports:
       - 4001:4001 # ACMEv2
-      - 4002:4002 # OCSP
       - 4003:4003 # SFE
     depends_on:
       - bmysql
@@ -114,8 +112,6 @@ services:
 
   gui:
     image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest}
-    networks:
-      - bouldernet
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./docker-compose.yml:/opt/boulder/docker-compose.yml
@@ -125,6 +121,8 @@ services:
       - boulder_data:/opt/boulder/labca
       - certificates:/opt/boulder/labca/certs
       - softhsm:/var/lib/softhsm/tokens
+    networks:
+      - bouldernet
     expose:
       - 3000
     depends_on:
diff --git a/build/tmp.patch b/build/tmp.patch
index 214ae34..b0711be 100644
--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index b9a8ac069..71ca7e0be 100644
+index c0c7fc838..12f2cc1e7 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -4,7 +4,7 @@ services:
@@ -11,9 +11,9 @@ index b9a8ac069..71ca7e0be 100644
      build:
        context: test/boulder-tools/
        # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
-@@ -19,11 +19,10 @@ services:
+@@ -18,11 +18,10 @@ services:
+       BOULDER_CONFIG_DIR: labca/config
        GOCACHE: /boulder/.gocache/go-build
-       GOFLAGS: -mod=vendor
      volumes:
 -      - .:/opt/boulder:cached
 -      - /home/labca/boulder_labca:/opt/boulder/labca
@@ -27,7 +27,7 @@ index b9a8ac069..71ca7e0be 100644
      networks:
        bouldernet:
          ipv4_address: 10.77.77.77
-@@ -91,7 +90,8 @@ services:
+@@ -89,7 +88,8 @@ services:
      image: redis:6.2.7
      volumes:
        - ./test/:/test/:cached
@@ -37,7 +37,7 @@ index b9a8ac069..71ca7e0be 100644
      command: redis-server /opt/boulder/labca/redis-ratelimits.config
      networks:
        bouldernet:
-@@ -103,33 +103,35 @@ services:
+@@ -101,24 +101,26 @@ services:
      depends_on:
        - control
      volumes:
@@ -54,8 +54,6 @@ index b9a8ac069..71ca7e0be 100644
    gui:
 -    image: *boulder_tools_image
 +    image: ghcr.io/hakwerk/labca-gui:${LABCA_IMAGE_VERSION:-latest}
-     networks:
-       - bouldernet
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
 -      - /home/labca/admin:/go/src/labca
@@ -72,8 +70,10 @@ index b9a8ac069..71ca7e0be 100644
 +      - boulder_data:/opt/boulder/labca
 +      - certificates:/opt/boulder/labca/certs
 +      - softhsm:/var/lib/softhsm/tokens
+     networks:
+       - bouldernet
      expose:
-       - 3000
+@@ -126,8 +128,8 @@ services:
      depends_on:
        - bmysql
        - control
@@ -84,7 +84,7 @@ index b9a8ac069..71ca7e0be 100644
      logging:
        driver: "json-file"
        options:
-@@ -146,30 +148,28 @@ services:
+@@ -144,30 +146,28 @@ services:
        - 80:80
        - 443:443
      volumes:
@@ -129,7 +129,7 @@ index b9a8ac069..71ca7e0be 100644
      expose:
        - 3030
      environment:
-@@ -186,6 +186,15 @@ services:
+@@ -184,6 +184,15 @@ services:
  
  volumes:
    dbdata:
diff --git a/build/tmp2.patch b/build/tmp2.patch
index 03e9767..1db1968 100644
--- a/build/tmp2.patch
+++ b/build/tmp2.patch
@@ -1,11 +1,11 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index e4645852a..b988b48fe 100644
+index df82abbf8..08720c37e 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -190,6 +190,9 @@ processes = []
+@@ -186,6 +186,9 @@ processes = []
  challSrvProcess = None
  
- def install(race_detection):
+ def install(race_detection, coverage=False):
 +    return True
 +
 +def installOriginal(race_detection):
diff --git a/install b/install
index 8b0dae5..7ea0a13 100755
--- a/install
+++ b/install
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="v0.20250728.0"
+boulderTag="v0.20250902.0"
 
 #
 # Color configuration
diff --git a/patch-cfg.sh b/patch-cfg.sh
index 5f3f910..8dedf32 100755
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -15,7 +15,6 @@ $SUDO patch -p1 -o "$boulderLabCADir/entrypoint.sh" < $cloneDir/patches/entrypoi
 cp test/startservers.py "$boulderLabCADir/startservers.py"
 
 $SUDO patch -p1 -o "$boulderLabCADir/config/bad-key-revoker.json" < $cloneDir/patches/config_bad-key-revoker.patch
-$SUDO patch -p1 -o "$boulderLabCADir/config/ocsp-responder.json" < $cloneDir/patches/config_ocsp-responder.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/publisher.json" < $cloneDir/patches/config_publisher.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/wfe2.json" < $cloneDir/patches/config_wfe2.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches/config_crl-storer.patch
@@ -36,12 +35,9 @@ perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\"
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/remoteva-c.json
 perl -i -p0e "s/(\"accountURIPrefixes\": \[\n.*?\s+\])/\1,\n\t\t\"labcaDomains\": [\n\t\t]/igs" $boulderLabCADir/config/va.json
 
-perl -i -p0e "s/\n    \"redis\": \{\n.*?    \},//igs" $boulderLabCADir/config/ocsp-responder.json
-
 for f in $(grep -l boulder-proxysql $boulderLabCADir/secrets/*); do sed -i -e "s/proxysql:6033/mysql:3306/" $f; done
 
 cd "$boulderLabCADir"
-sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/certs/webpki/issuer-01-cert.pem|" config/ocsp-responder.json
 sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/certs/webpki/issuer-01-cert.pem|" config/publisher.json
 sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/certs/webpki/issuer-01-cert.pem|" config/ca.json
 sed -i -e "s|test/certs/webpki/int-rsa-a.cert.pem|labca/certs/webpki/issuer-01-cert.pem|" config/wfe2.json
@@ -57,7 +53,6 @@ sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/certs/webpki/root-01-cert
 sed -i -e "s|test/certs/webpki/root-rsa.cert.pem|labca/certs/webpki/root-01-cert.pem|" helpers.py
 sed -i -e "s|letsencrypt/boulder|hakwerk/labca|" config/wfe2.json
 sed -i -e "s|1.2.3.4|1.3.6.1.4.1.44947.1.1.1|g" config/ca.json
-sed -i -e "s/ocspURL.Path = encodedReq/ocspURL.Path += encodedReq/" ocsp/helper/helper.go
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-a.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-b.json
 sed -i -e "s/\"dnsTimeout\": \".*\"/\"dnsTimeout\": \"3s\"/" config/remoteva-c.json
@@ -75,11 +70,7 @@ perl -i -p0e "s/(services {\s*id\s*=\s*\"bredis4\".*?}\n\n)//igs" consul/config.
 sed -i -e "s|test/certs|/opt/boulder/labca/certs|" consul/config.hcl
 sed -i -e "s|/test/certs|/opt/boulder/labca/certs|" redis-ratelimits.config
 
-perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"shardAddrs\": {)/\1\2\1\"db\": 0,\1\3/igs" config/ocsp-responder.json
-perl -i -p0e "s/(\"shardAddrs\": {\n)(\s*).*?(\s*},)/\1\2\"shard1\": \"10.33.33.4:4218\"\3/igs" config/ocsp-responder.json
 perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"lookups\": \[)/\1\2\1\"db\": 1,\1\3/igs" config/ra.json
-perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"shardAddrs\": {)/\1\2\1\"db\": 0,\1\3/igs" config/rocsp-tool.json
-perl -i -p0e "s/(\"shardAddrs\": {\n)(\s*).*?(\s*},)/\1\2\"shard1\": \"10.33.33.4:4218\"\3/igs" config/rocsp-tool.json
 perl -i -p0e "s/,(\s*)(\"passwordFile\":.*?,).*(\"lookups\": \[)/,\1\2\1\"db\": 1,\1\3/igs" config/wfe2.json
 
 for file in `find . -type f | grep -v .git`; do
diff --git a/patch.sh b/patch.sh
index 5c8967a..ce2e1fe 100755
--- a/patch.sh
+++ b/patch.sh
@@ -14,6 +14,7 @@ if [ "$SUDO" == "" ]; then
     $SUDO patch -p1 < $cloneDir/build/tmp.patch
 fi
 
+$SUDO patch -p1 < $cloneDir/patches/admin_overrides_add.patch
 $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/bdns_dns.patch
 $SUDO patch -p1 < $cloneDir/patches/boulder-ra_main.patch
@@ -29,7 +30,6 @@ $SUDO patch -p1 < $cloneDir/patches/ceremony_rsa.patch
 $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/cmd_config.patch
 $SUDO patch -p1 < $cloneDir/patches/config_duration.patch
-$SUDO patch -p1 < $cloneDir/patches/config_rocsp_config.patch
 $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch
 $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch
 $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch
@@ -44,23 +44,22 @@ $SUDO patch -p1 < $cloneDir/patches/log_prod_prefix.patch
 $SUDO patch -p1 < $cloneDir/patches/log_test_prefix.patch
 $SUDO patch -p1 < $cloneDir/patches/log_validator_validator.patch
 $SUDO patch -p1 < $cloneDir/patches/makefile.patch
-$SUDO patch -p1 < $cloneDir/patches/ocsp-responder_main.patch
 $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch
 $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
 $SUDO patch -p1 < $cloneDir/patches/redis_config.patch
 $SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch
 $SUDO patch -p1 < $cloneDir/patches/reversed-hostname-checker_main.patch
+$SUDO patch -p1 < $cloneDir/patches/sfe_overrides.patch
+$SUDO patch -p1 < $cloneDir/patches/sfe_templates_layout.patch
 $SUDO patch -p1 < $cloneDir/patches/start.patch
+$SUDO patch -p1 < $cloneDir/patches/storer_storer.patch
+$SUDO patch -p1 < $cloneDir/patches/test_health-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/test_startservers.patch
 if [ "$SUDO" == "" ]; then
     # TODO: should include this into startservers.patch
     $SUDO patch -p1 < $cloneDir/build/tmp2.patch
 fi
-$SUDO patch -p1 < $cloneDir/patches/sfe_templates_layout.patch
-$SUDO patch -p1 < $cloneDir/patches/storer_storer.patch
-$SUDO patch -p1 < $cloneDir/patches/test_health-checker_main.patch
-$SUDO patch -p1 < $cloneDir/patches/test_ocsp_helper_helper.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_updater.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_continuous.patch
 $SUDO patch -p1 < $cloneDir/patches/va_http.patch
diff --git a/patches/admin_overrides_add.patch b/patches/admin_overrides_add.patch
new file mode 100644
index 0000000..c24cde4
--- /dev/null
+++ b/patches/admin_overrides_add.patch
@@ -0,0 +1,17 @@
+diff --git a/cmd/admin/overrides_add.go b/cmd/admin/overrides_add.go
+index 6c217b0a1..0955b4256 100644
+--- a/cmd/admin/overrides_add.go
++++ b/cmd/admin/overrides_add.go
+@@ -51,7 +51,11 @@ func validateIdentifiers(idents ...identifier.ACMEIdentifier) error {
+ 	for _, ident := range idents {
+ 		switch ident.Type {
+ 		case identifier.TypeDNS:
+-			err := policy.ValidDomain(ident.Value)
++			pa, err := policy.New(map[identifier.IdentifierType]bool{"dns": true}, nil, nil)
++			if err != nil {
++				return fmt.Errorf("cannot create policy authority implementation")
++			}
++			err = pa.ValidDomain(ident.Value)
+ 			if err != nil {
+ 				return fmt.Errorf("invalid domain %s: %s", ident.Value, err)
+ 			}
diff --git a/patches/boulder-ra_main.patch b/patches/boulder-ra_main.patch
index 3674031..a162022 100644
--- a/patches/boulder-ra_main.patch
+++ b/patches/boulder-ra_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go
-index 9aa809e42..0facecca5 100644
+index dd30f78cd..a3b6c2e88 100644
 --- a/cmd/boulder-ra/main.go
 +++ b/cmd/boulder-ra/main.go
-@@ -270,6 +270,8 @@ func main() {
+@@ -268,6 +268,8 @@ func main() {
  		limiterRedis, err = bredis.NewRingFromConfig(*c.RA.Limiter.Redis, scope, logger)
  		cmd.FailOnError(err, "Failed to create Redis ring")
  
diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch
index d3b16ca..0d0f4af 100644
--- a/patches/boulder-va_main.patch
+++ b/patches/boulder-va_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
-index 5086a3923..f557f33b0 100644
+index dd3fe9b39..5f6325f51 100644
 --- a/cmd/boulder-va/main.go
 +++ b/cmd/boulder-va/main.go
-@@ -53,6 +53,7 @@ type Config struct {
+@@ -54,6 +54,7 @@ type Config struct {
  		// Deprecated and ignored
  		MaxRemoteValidationFailures int `validate:"omitempty,min=0,required_with=RemoteVAs"`
  		Features                    features.Config
@@ -10,8 +10,8 @@ index 5086a3923..f557f33b0 100644
  	}
  
  	Syslog        cmd.SyslogConfig
-@@ -82,12 +83,16 @@ func main() {
- 	clk := cmd.Clock()
+@@ -83,12 +84,16 @@ func main() {
+ 	clk := clock.New()
  
  	var servers bdns.ServerProvider
 +	proto := "udp"
diff --git a/patches/ca_ca.patch b/patches/ca_ca.patch
index 1d683a0..5c60545 100644
--- a/patches/ca_ca.patch
+++ b/patches/ca_ca.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index f8caf76fb..400d2b613 100644
+index 4f5c863e0..8e4d57233 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -171,10 +171,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -170,10 +170,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
  		}
  	}
  	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
diff --git a/patches/ca_ca_keytype_hack.patch b/patches/ca_ca_keytype_hack.patch
index 2e4f6f1..672f861 100644
--- a/patches/ca_ca_keytype_hack.patch
+++ b/patches/ca_ca_keytype_hack.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index 400d2b613..09e651a96 100644
+index 8e4d57233..8a95367ac 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -171,10 +171,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -170,10 +170,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
  		}
  	}
  	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
diff --git a/patches/ceremony_crl.patch b/patches/ceremony_crl.patch
index 2e5bc84..33a5030 100644
--- a/patches/ceremony_crl.patch
+++ b/patches/ceremony_crl.patch
@@ -1,13 +1,23 @@
 diff --git a/cmd/ceremony/crl.go b/cmd/ceremony/crl.go
-index 98790d906..4de35ae5c 100644
+index cde31023d..ab5d30aff 100644
 --- a/cmd/ceremony/crl.go
 +++ b/cmd/ceremony/crl.go
-@@ -42,7 +42,7 @@ func generateCRL(signer crypto.Signer, issuer *x509.Certificate, thisUpdate, nex
+@@ -7,6 +7,7 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"math/big"
++	"slices"
+ 	"time"
+ 
+ 	"github.com/letsencrypt/boulder/crl/idp"
+@@ -42,6 +43,10 @@ func generateCRL(signer crypto.Signer, issuer *x509.Certificate, thisUpdate, nex
  	}
  	template.ExtraExtensions = append(template.ExtraExtensions, *idp)
  
--	err = linter.CheckCRL(template, issuer, signer, []string{})
-+	err = linter.CheckCRL(template, issuer, signer, []string{"e_crl_next_update_invalid"})
++	if !slices.Contains(skipLints, "e_crl_next_update_invalid") {
++		skipLints = append(skipLints, "e_crl_next_update_invalid")
++	}
++
+ 	err = linter.CheckCRL(template, issuer, signer, skipLints)
  	if err != nil {
  		return nil, fmt.Errorf("crl failed pre-issuance lint: %w", err)
- 	}
diff --git a/patches/ceremony_main.patch b/patches/ceremony_main.patch
index ec96430..67c5b2a 100644
--- a/patches/ceremony_main.patch
+++ b/patches/ceremony_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/ceremony/main.go b/cmd/ceremony/main.go
-index 12cc9249c..8ac5af0a3 100644
+index 1a2cde645..193d7e325 100644
 --- a/cmd/ceremony/main.go
 +++ b/cmd/ceremony/main.go
 @@ -98,6 +98,7 @@ type keyGenConfig struct {
@@ -33,7 +33,7 @@ index 12cc9249c..8ac5af0a3 100644
  	}
  	err = checkOutputFile(rc.Outputs.CertificatePath, "certificate-path")
  	if err != nil {
-@@ -629,23 +633,42 @@ func rootCeremony(configBytes []byte) error {
+@@ -630,23 +634,42 @@ func rootCeremony(configBytes []byte) error {
  		return fmt.Errorf("failed to setup session and PKCS#11 context for slot %d: %s", config.PKCS11.StoreSlot, err)
  	}
  	log.Printf("Opened PKCS#11 session for slot %d\n", config.PKCS11.StoreSlot)
diff --git a/patches/cmd_config.patch b/patches/cmd_config.patch
index 196ce0a..e241c5e 100644
--- a/patches/cmd_config.patch
+++ b/patches/cmd_config.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/config.go b/cmd/config.go
-index 29649639f..776ebb5f2 100644
+index 9c7f2dc4a..087cd0652 100644
 --- a/cmd/config.go
 +++ b/cmd/config.go
-@@ -462,7 +462,7 @@ type GRPCServerConfig struct {
+@@ -440,7 +440,7 @@ type GRPCServerConfig struct {
  	// this controls how long it takes before a client learns about changes to its
  	// backends.
  	// https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters
diff --git a/patches/config_ocsp-responder.patch b/patches/config_ocsp-responder.patch
deleted file mode 100644
index 7e962fa..0000000
--- a/patches/config_ocsp-responder.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
-index 1e5d4cb70..e56719c21 100644
---- a/test/config/ocsp-responder.json
-+++ b/test/config/ocsp-responder.json
-@@ -4,22 +4,6 @@
- 			"dbConnectFile": "test/secrets/ocsp_responder_dburl",
- 			"maxOpenConns": 10
- 		},
--		"redis": {
--			"username": "ocsp-responder",
--			"passwordFile": "test/secrets/ocsp_responder_redis_password",
--			"shardAddrs": {
--				"shard1": "10.77.77.2:4218",
--				"shard2": "10.77.77.3:4218"
--			},
--			"timeout": "5s",
--			"poolSize": 100,
--			"routeRandomly": true,
--			"tls": {
--				"caCertFile": "test/certs/ipki/minica.pem",
--				"certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
--				"keyFile": "test/certs/ipki/ocsp-responder.boulder/key.pem"
--			}
--		},
- 		"tls": {
- 			"caCertFile": "test/certs/ipki/minica.pem",
- 			"certFile": "test/certs/ipki/ocsp-responder.boulder/cert.pem",
-@@ -49,12 +33,7 @@
- 		"path": "/",
- 		"listenAddress": "0.0.0.0:4002",
- 		"issuerCerts": [
--			"test/certs/webpki/int-rsa-a.cert.pem",
--			"test/certs/webpki/int-rsa-b.cert.pem",
--			"test/certs/webpki/int-rsa-c.cert.pem",
--			"test/certs/webpki/int-ecdsa-a.cert.pem",
--			"test/certs/webpki/int-ecdsa-b.cert.pem",
--			"test/certs/webpki/int-ecdsa-c.cert.pem"
-+			"test/certs/webpki/int-rsa-a.cert.pem"
- 		],
- 		"liveSigningPeriod": "60h",
- 		"timeout": "4.9s",
diff --git a/patches/config_ra.patch b/patches/config_ra.patch
index dcc6016..99aba30 100644
--- a/patches/config_ra.patch
+++ b/patches/config_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/ra.json b/test/config/ra.json
-index ade9fcc1c..994fa031a 100644
+index 1cecd4772..39b9f6284 100644
 --- a/test/config/ra.json
 +++ b/test/config/ra.json
 @@ -3,7 +3,8 @@
@@ -58,7 +58,7 @@ index ade9fcc1c..994fa031a 100644
  		},
  		"vaService": {
  			"dnsAuthority": "consul.service.consul",
-@@ -164,7 +160,7 @@
+@@ -153,7 +149,7 @@
  		},
  		"ctLogs": {
  			"stagger": "500ms",
diff --git a/patches/config_rocsp_config.patch b/patches/config_rocsp_config.patch
deleted file mode 100644
index 72c7c85..0000000
--- a/patches/config_rocsp_config.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/rocsp/config/rocsp_config.go b/rocsp/config/rocsp_config.go
-index c5416a499..d23091b53 100644
---- a/rocsp/config/rocsp_config.go
-+++ b/rocsp/config/rocsp_config.go
-@@ -31,6 +31,8 @@ type RedisConfig struct {
- 	TLS cmd.TLSConfig
- 	// Username is a Redis username.
- 	Username string `validate:"required"`
-+	// DB is the database number in Redis
-+	DB int `validate:"min=0"`
- 	// ShardAddrs is a map of shard names to IP address:port pairs. The go-redis
- 	// `Ring` client will shard reads and writes across the provided Redis
- 	// Servers based on a consistent hashing algorithm.
-@@ -114,6 +116,7 @@ func MakeClient(c *RedisConfig, clk clock.Clock, stats prometheus.Registerer) (*
- 
- 	rdb := redis.NewRing(&redis.RingOptions{
- 		Addrs:     c.ShardAddrs,
-+		DB:        c.DB,
- 		Username:  c.Username,
- 		Password:  password,
- 		TLSConfig: tlsConfig,
diff --git a/patches/crl-storer_main.patch b/patches/crl-storer_main.patch
index dcacde0..5ffe948 100644
--- a/patches/crl-storer_main.patch
+++ b/patches/crl-storer_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/crl-storer/main.go b/cmd/crl-storer/main.go
-index 4dddfaa9f..8dcf40bbc 100644
+index 8753d858f..87c11e1fc 100644
 --- a/cmd/crl-storer/main.go
 +++ b/cmd/crl-storer/main.go
-@@ -46,6 +46,9 @@ type Config struct {
+@@ -47,6 +47,9 @@ type Config struct {
  		// https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html.
  		AWSCredsFile string
  
@@ -12,7 +12,7 @@ index 4dddfaa9f..8dcf40bbc 100644
  		Features features.Config
  	}
  
-@@ -129,7 +132,7 @@ func main() {
+@@ -130,7 +133,7 @@ func main() {
  	}
  	s3client := s3.NewFromConfig(awsConfig, s3opts...)
  
diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch
index b4522bd..e677d05 100644
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 8092b1522..b9a8ac069 100644
+index 2e2ff2746..c0c7fc838 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -1,3 +1,4 @@
@@ -7,14 +7,13 @@ index 8092b1522..b9a8ac069 100644
  services:
    boulder:
      # The `letsencrypt/boulder-tools:latest` tag is automatically built in local
-@@ -14,13 +15,15 @@ services:
+@@ -14,12 +15,14 @@ services:
        # to the IP address where your ACME client's solver is listening. This is
        # pointing at the boulder service's "public" IP, where challtestsrv is.
        FAKE_DNS: 64.112.117.122
 -      BOULDER_CONFIG_DIR: test/config
 +      BOULDER_CONFIG_DIR: labca/config
        GOCACHE: /boulder/.gocache/go-build
-       GOFLAGS: -mod=vendor
      volumes:
 -      - .:/boulder:cached
 +      - .:/opt/boulder:cached
@@ -26,15 +25,13 @@ index 8092b1522..b9a8ac069 100644
      networks:
        bouldernet:
          ipv4_address: 10.77.77.77
-@@ -53,122 +56,136 @@ services:
+@@ -51,98 +54,136 @@ services:
        - 4003:4003 # SFE
      depends_on:
        - bmysql
 -      - bproxysql
 -      - bredis_1
 -      - bredis_2
--      - bredis_3
--      - bredis_4
 +      - bredis
        - bconsul
 -      - bjaeger
@@ -84,12 +81,7 @@ index 8092b1522..b9a8ac069 100644
 +    command: mysqld --bind-address=0.0.0.0 --log-output=TABLE
      logging:
 -      driver: none
-+      driver: "json-file"
-+      options:
-+        max-size: "500k"
-+        max-file: "5"
-+    restart: always
- 
+-
 -  bproxysql:
 -    image: proxysql/proxysql:2.5.4
 -    # The --initial flag force resets the ProxySQL database on startup. By
@@ -105,62 +97,53 @@ index 8092b1522..b9a8ac069 100644
 -      bouldernet:
 -        aliases:
 -          - boulder-proxysql
--
++      driver: "json-file"
++      options:
++        max-size: "500k"
++        max-file: "5"
++    restart: always
+ 
 -  bredis_1:
 +  bredis:
      image: redis:6.2.7
      volumes:
        - ./test/:/test/:cached
--    command: redis-server /test/redis-ocsp.config
+-    command: redis-server /test/redis-ratelimits.config
 +      - /home/labca/boulder_labca:/opt/boulder/labca
 +    command: redis-server /opt/boulder/labca/redis-ratelimits.config
      networks:
        bouldernet:
--        # TODO(#8215): Remove this static IP allocation (and similar below) when
--        # we tear down ocsp-responder. We only have it because ocsp-responder
--        # requires IPs in its "ShardAddrs" config, while ratelimit redis
--        # supports looking up shards via hostname and SRV record.
--        ipv4_address: 10.77.77.2
-+        ipv4_address: 10.77.77.4
-+    restart: always
- 
+         ipv4_address: 10.77.77.4
+-
 -  bredis_2:
 -    image: redis:6.2.7
-+  bconsul:
-+    image: hashicorp/consul:1.15.4
-+    depends_on:
-+      - control
-     volumes:
--      - ./test/:/test/:cached
--    command: redis-server /test/redis-ocsp.config
-+      - /home/labca/boulder_labca:/opt/boulder/labca
-     networks:
-       bouldernet:
--        ipv4_address: 10.77.77.3
-+        ipv4_address: 10.77.77.10
-+    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
-+    restart: always
- 
--  bredis_3:
--    image: redis:6.2.7
 -    volumes:
 -      - ./test/:/test/:cached
 -    command: redis-server /test/redis-ratelimits.config
-+  gui:
-+    image: *boulder_tools_image
-     networks:
--      bouldernet:
--        ipv4_address: 10.77.77.4
--
--  bredis_4:
--    image: redis:6.2.7
-+      - bouldernet
-     volumes:
--      - ./test/:/test/:cached
--    command: redis-server /test/redis-ratelimits.config
 -    networks:
 -      bouldernet:
 -        ipv4_address: 10.77.77.5
++    restart: always
+ 
+   bconsul:
+     image: hashicorp/consul:1.15.4
++    depends_on:
++      - control
+     volumes:
+-     - ./test/:/test/:cached
++      - /home/labca/boulder_labca:/opt/boulder/labca
+     networks:
+       bouldernet:
+         ipv4_address: 10.77.77.10
+-    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
++    command: "consul agent -dev -config-format=hcl -config-file=/opt/boulder/labca/consul/config.hcl"
++    restart: always
+ 
+-  bjaeger:
+-    image: jaegertracing/all-in-one:1.50
++  gui:
++    image: *boulder_tools_image
++    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin:/go/src/labca
 +      - ./.gocache:/root/.cache/go-build
@@ -169,6 +152,8 @@ index 8092b1522..b9a8ac069 100644
 +      - .:/opt/boulder
 +      - /home/labca/boulder_labca:/opt/boulder/labca
 +      - /home/labca/boulder_labca/certs/.softhsm-tokens/:/var/lib/softhsm/tokens/
+     networks:
+       - bouldernet
 +    expose:
 +      - 3000
 +    depends_on:
@@ -182,18 +167,11 @@ index 8092b1522..b9a8ac069 100644
 +        max-size: "500k"
 +        max-file: "5"
 +    restart: always
- 
--  bconsul:
--    image: hashicorp/consul:1.15.4
--    volumes:
--     - ./test/:/test/:cached
++
 +  nginx:
 +    image: nginx:latest
 +    restart: always
-     networks:
--      bouldernet:
--        ipv4_address: 10.77.77.10
--    command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
++    networks:
 +      - bouldernet
 +    ports:
 +      - 80:80
@@ -204,13 +182,11 @@ index 8092b1522..b9a8ac069 100644
 +      - /home/labca/nginx_data/static:/var/www/html
 +    depends_on:
 +      - control
- 
--  bjaeger:
--    image: jaegertracing/all-in-one:1.50
++
 +  control:
 +    image: *boulder_tools_image
-     networks:
-       - bouldernet
++    networks:
++      - bouldernet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
 +      - /home/labca/admin/data:/opt/labca/data
diff --git a/patches/issuance_issuer.patch b/patches/issuance_issuer.patch
index 6e9b664..099b80b 100644
--- a/patches/issuance_issuer.patch
+++ b/patches/issuance_issuer.patch
@@ -1,8 +1,8 @@
 diff --git a/issuance/issuer.go b/issuance/issuer.go
-index 95d2f03a7..c3129fe97 100644
+index e89143ea0..ec328c9df 100644
 --- a/issuance/issuer.go
 +++ b/issuance/issuer.go
-@@ -161,7 +161,7 @@ type IssuerConfig struct {
+@@ -149,7 +149,7 @@ type IssuerConfig struct {
  	Active bool
  
  	IssuerURL  string `validate:"required,url"`
@@ -11,7 +11,7 @@ index 95d2f03a7..c3129fe97 100644
  
  	// TODO(#8177): Remove this.
  	OCSPURL string `validate:"omitempty,url"`
-@@ -248,9 +248,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
+@@ -236,9 +236,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
  	if !strings.HasPrefix(config.CRLURLBase, "http://") {
  		return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase)
  	}
diff --git a/patches/makefile.patch b/patches/makefile.patch
index d28eafb..a3ae366 100644
--- a/patches/makefile.patch
+++ b/patches/makefile.patch
@@ -1,13 +1,13 @@
 diff --git a/Makefile b/Makefile
-index 9522b89a7..b5aa9d84a 100644
+index 640ff12bd..486d54685 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -36,7 +36,7 @@ $(CMD_BINS): build_cmds
+@@ -37,7 +37,7 @@ $(CMD_BINS): build_cmds
  
  build_cmds: | $(OBJDIR)
  	echo $(OBJECTS)
--	GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor $(GO_BUILD_FLAGS) ./...
-+	GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor -buildvcs=false $(GO_BUILD_FLAGS) ./...
+-	GOBIN=$(OBJDIR) go install -mod=vendor $(GO_BUILD_FLAGS) ./...
++	GOBIN=$(OBJDIR) go install -mod=vendor -buildvcs=false $(GO_BUILD_FLAGS) ./...
  
  # Building a .deb requires `fpm` from https://github.com/jordansissel/fpm
  # which you can install with `gem install fpm`.
diff --git a/patches/ocsp-responder_main.patch b/patches/ocsp-responder_main.patch
deleted file mode 100644
index 662ad18..0000000
--- a/patches/ocsp-responder_main.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go
-index ec03eb05f..1cfe3e20e 100644
---- a/cmd/ocsp-responder/main.go
-+++ b/cmd/ocsp-responder/main.go
-@@ -91,7 +91,7 @@ type Config struct {
- 
- 		// Configuration for using Redis as a cache. This configuration should
- 		// allow for both read and write access.
--		Redis *rocsp_config.RedisConfig `validate:"required_without=Source"`
-+		Redis *rocsp_config.RedisConfig
- 
- 		// TLS client certificate, private key, and trusted root bundle.
- 		TLS cmd.TLSConfig `validate:"required_without=Source,structonly"`
-@@ -165,7 +165,7 @@ as generated by Boulder's ceremony command.
- 		}
- 		source, err = responder.NewMemorySourceFromFile(filename, logger)
- 		cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path))
--	} else {
-+	} else if c.OCSPResponder.Redis != nil {
- 		// Set up the redis source and the combined multiplex source.
- 		rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope)
- 		cmd.FailOnError(err, "Could not make redis client")
-@@ -209,6 +209,19 @@ as generated by Boulder's ceremony command.
- 
- 		source, err = redis_responder.NewCheckedRedisSource(rocspSource, dbMap, sac, scope, logger)
- 		cmd.FailOnError(err, "Could not create checkedRedis source")
-+	} else {
-+		tlsConfig, err := c.OCSPResponder.TLS.Load(scope)
-+		cmd.FailOnError(err, "TLS config")
-+
-+		raConn, err := bgrpc.ClientSetup(c.OCSPResponder.RAService, tlsConfig, scope, clk)
-+		cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
-+		rac := rapb.NewRegistrationAuthorityClient(raConn)
-+
-+		maxInflight := c.OCSPResponder.MaxInflightSignings
-+		if maxInflight == 0 {
-+			maxInflight = 1000
-+		}
-+		source = live.New(rac, int64(maxInflight), c.OCSPResponder.MaxSigningWaiters)
- 	}
- 
- 	// Load the certificate from the file path.
diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch
index e4434b3..bfcb965 100644
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index ba993179a..04aec2370 100644
+index ad3c496de..b676be83a 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -44,7 +44,6 @@ import (
+@@ -42,7 +42,6 @@ import (
  	"github.com/letsencrypt/boulder/issuance"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index ba993179a..04aec2370 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -574,7 +573,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -568,7 +567,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  		if !core.IsASCII(contact) {
  			return berrors.InvalidEmailError("contact email contains non-ASCII characters")
  		}
@@ -19,7 +19,7 @@ index ba993179a..04aec2370 100644
  		if err != nil {
  			return err
  		}
-@@ -1895,6 +1894,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
+@@ -1854,6 +1853,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
  		return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url)
  	}
  	shardStr := url[lastIndex+1:]
diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch
index 8f5a5f9..62fdba0 100644
--- a/patches/ratelimits_names.patch
+++ b/patches/ratelimits_names.patch
@@ -1,9 +1,9 @@
 diff --git a/ratelimits/names.go b/ratelimits/names.go
-index 1ce3c514c..6f72b517c 100644
+index cc32e49b6..099de902d 100644
 --- a/ratelimits/names.go
 +++ b/ratelimits/names.go
-@@ -114,6 +114,9 @@ var nameToString = map[Name]string{
- 	FailedAuthorizationsForPausingPerDomainPerAccount: "FailedAuthorizationsForPausingPerDomainPerAccount",
+@@ -120,6 +120,9 @@ var nameToString = map[Name]string{
+ 	LimitOverrideRequestsPerIPAddress:                 "LimitOverrideRequestsPerIPAddress",
  }
  
 +// Policy Authority singleton
@@ -12,7 +12,7 @@ index 1ce3c514c..6f72b517c 100644
  // isValid returns true if the Name is a valid rate limit name.
  func (n Name) isValid() bool {
  	return n > Unknown && n < Name(len(nameToString))
-@@ -195,7 +198,14 @@ func validateRegIdIdentValue(id string) error {
+@@ -201,7 +204,14 @@ func validateRegIdIdentValue(id string) error {
  		return fmt.Errorf(
  			"invalid regId, %q must be formatted 'regId:identValue'", id)
  	}
@@ -28,7 +28,7 @@ index 1ce3c514c..6f72b517c 100644
  	if domainErr != nil {
  		ipErr := policy.ValidIP(regIdIdentValue[1])
  		if ipErr != nil {
-@@ -209,7 +219,15 @@ func validateRegIdIdentValue(id string) error {
+@@ -215,7 +225,15 @@ func validateRegIdIdentValue(id string) error {
  // name or an IP address. IPv6 addresses must be the lowest address in their
  // /64, i.e. their last 64 bits must be zero.
  func validateDomainOrCIDR(limit Name, id string) error {
@@ -45,7 +45,7 @@ index 1ce3c514c..6f72b517c 100644
  	if domainErr == nil {
  		// This is a valid domain.
  		return nil
-@@ -264,8 +282,16 @@ func validateFQDNSet(id string) error {
+@@ -270,8 +288,16 @@ func validateFQDNSet(id string) error {
  		return fmt.Errorf(
  			"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
  	}
diff --git a/patches/remoteva_main.patch b/patches/remoteva_main.patch
index 17fae1f..d595ece 100644
--- a/patches/remoteva_main.patch
+++ b/patches/remoteva_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/remoteva/main.go b/cmd/remoteva/main.go
-index f4c0cbe76..1f454f489 100644
+index d049ba126..16fdca8a4 100644
 --- a/cmd/remoteva/main.go
 +++ b/cmd/remoteva/main.go
-@@ -57,7 +57,8 @@ type Config struct {
+@@ -59,7 +59,8 @@ type Config struct {
  		// For more information, see: https://pkg.go.dev/crypto/tls#ClientAuthType
  		SkipGRPCClientCertVerification bool
  
@@ -12,8 +12,8 @@ index f4c0cbe76..1f454f489 100644
  	}
  
  	Syslog        cmd.SyslogConfig
-@@ -87,12 +88,16 @@ func main() {
- 	clk := cmd.Clock()
+@@ -89,12 +90,16 @@ func main() {
+ 	clk := clock.New()
  
  	var servers bdns.ServerProvider
 +	proto := "udp"
@@ -30,7 +30,7 @@ index f4c0cbe76..1f454f489 100644
  		cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
  	}
  	defer servers.Stop()
-@@ -138,7 +143,8 @@ func main() {
+@@ -140,7 +145,8 @@ func main() {
  		c.RVA.AccountURIPrefixes,
  		c.RVA.Perspective,
  		c.RVA.RIR,
diff --git a/patches/sfe_overrides.patch b/patches/sfe_overrides.patch
new file mode 100644
index 0000000..389eb4b
--- /dev/null
+++ b/patches/sfe_overrides.patch
@@ -0,0 +1,38 @@
+diff --git a/sfe/overrides.go b/sfe/overrides.go
+index 8eb024aed..20687c2bd 100644
+--- a/sfe/overrides.go
++++ b/sfe/overrides.go
+@@ -13,6 +13,7 @@ import (
+ 
+ 	berrors "github.com/letsencrypt/boulder/errors"
+ 	"github.com/letsencrypt/boulder/iana"
++	"github.com/letsencrypt/boulder/identifier"
+ 	"github.com/letsencrypt/boulder/policy"
+ 	rl "github.com/letsencrypt/boulder/ratelimits"
+ 	"github.com/letsencrypt/boulder/sfe/forms"
+@@ -356,7 +357,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error
+ 		return nil
+ 
+ 	case emailAddressFieldName:
+-		err := policy.ValidEmail(fieldValue)
++		pa, err := policy.New(map[identifier.IdentifierType]bool{"dns": true}, nil, nil)
++		if err != nil {
++			return fmt.Errorf("cannot create policy authority implementation for email")
++		}
++		err = pa.ValidEmail(fieldValue)
+ 		if err == nil {
+ 			return nil
+ 		}
+@@ -382,7 +387,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error
+ 		return fmt.Errorf("IP address is invalid")
+ 
+ 	case RegisteredDomainFieldName:
+-		err := policy.ValidDomain(fieldValue)
++		pa, err := policy.New(map[identifier.IdentifierType]bool{"dns": true}, nil, nil)
++		if err != nil {
++			return fmt.Errorf("cannot create policy authority implementation")
++		}
++		err = pa.ValidDomain(fieldValue)
+ 		if err != nil {
+ 			return fmt.Errorf("registered domain name is invalid")
+ 		}
diff --git a/patches/sfe_templates_layout.patch b/patches/sfe_templates_layout.patch
index 2e186b7..34514ae 100644
--- a/patches/sfe_templates_layout.patch
+++ b/patches/sfe_templates_layout.patch
@@ -1,8 +1,8 @@
 diff --git a/sfe/templates/layout.html b/sfe/templates/layout.html
-index 15d5e88d9..2511e9e13 100644
+index ded5d495f..009aa7de2 100644
 --- a/sfe/templates/layout.html
 +++ b/sfe/templates/layout.html
-@@ -4,8 +4,8 @@
+@@ -4,14 +4,14 @@
  <head>
      <meta charset="UTF-8">
      <meta name="viewport" content="width=device-width, initial-scale=1.0">
@@ -10,15 +10,13 @@ index 15d5e88d9..2511e9e13 100644
 -    <link rel="icon" type="image/x-icon" href="/static/favicon.ico">
 +    <title>Self-Service Portal | LabCA</title>
 +    <link rel="icon" type="image/png" href="/img/fav-public.png">
-     <style>
-         * {
-             font-family: system-ui, sans-serif;
-@@ -99,7 +99,7 @@
+     <link rel="stylesheet" href="/static/style.css">
+ </head>
  <body>
      <div class="header">
          <div class="container">
--            <img src="/static/logo.svg" alt="Let's Encrypt" style="height: 50px;">
-+             <a class="navbar-brand" href="/" style="text-decoration: none;color:  #777;font-size: 18px;font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif;padding: 10px 20px;"><!-- BEGIN WEBTITLE -->LabCA<!-- END WEBTITLE --></a>
+-            <img src="/static/logo.svg" alt="Let's Encrypt" id="logo">
++            <a class="navbar-brand" href="/" style="text-decoration: none;color:  #777;font-size: 18px;font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif;padding: 10px 20px;"><!-- BEGIN WEBTITLE -->LabCA<!-- END WEBTITLE --></a>
          </div>
      </div>
  {{ end }}
diff --git a/patches/start.patch b/patches/start.patch
index 1176f1a..5fae863 100644
--- a/patches/start.patch
+++ b/patches/start.patch
@@ -1,5 +1,5 @@
 diff --git a/start.py b/start.py
-index f224b9e6c..017fe5cd5 100755
+index 2c59f04d4..8fb9282d8 100755
 --- a/start.py
 +++ b/start.py
 @@ -20,6 +20,11 @@ import startservers
@@ -11,6 +11,6 @@ index f224b9e6c..017fe5cd5 100755
 +    print(f"Waiting for '{fl}' to appear...")
 +    time.sleep(30)
 +
- if not startservers.start(fakeclock=None):
+ if not startservers.start():
      sys.exit(1)
  try:
diff --git a/patches/test_certs_generate.patch b/patches/test_certs_generate.patch
index 6ee5ea6..3e96d1d 100644
--- a/patches/test_certs_generate.patch
+++ b/patches/test_certs_generate.patch
@@ -1,8 +1,8 @@
 diff --git a/test/certs/generate.sh b/test/certs/generate.sh
-index f6ef272d3..bfc60f293 100755
+index 6038ace4e..728f49df6 100755
 --- a/test/certs/generate.sh
 +++ b/test/certs/generate.sh
-@@ -63,16 +63,50 @@ webpki() (
+@@ -62,16 +62,50 @@ webpki() (
    # This function executes in a subshell, so this cd does not affect the parent
    # script.
    cd ../..
diff --git a/patches/test_config_ca.patch b/patches/test_config_ca.patch
index 52c94be..4358136 100644
--- a/patches/test_config_ca.patch
+++ b/patches/test_config_ca.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/ca.json b/test/config/ca.json
-index 6e60285a5..672cb29ce 100644
+index 477f82b12..9512d98b0 100644
 --- a/test/config/ca.json
 +++ b/test/config/ca.json
 @@ -1,11 +1,11 @@
@@ -18,7 +18,7 @@ index 6e60285a5..672cb29ce 100644
  		"grpcCA": {
  			"maxConnectionAge": "30s",
  			"address": ":9093",
-@@ -64,7 +64,8 @@
+@@ -59,7 +59,8 @@
  					"includeCRLDistributionPoints": true,
  					"maxValidityPeriod": "7776000s",
  					"maxValidityBackdate": "1h5m",
@@ -28,7 +28,7 @@ index 6e60285a5..672cb29ce 100644
  					"ignoredLints": [
  						"w_subject_common_name_included",
  						"e_dnsname_not_valid_tld",
-@@ -81,7 +82,8 @@
+@@ -76,7 +77,8 @@
  					"includeCRLDistributionPoints": true,
  					"maxValidityPeriod": "160h",
  					"maxValidityBackdate": "1h5m",
@@ -38,7 +38,7 @@ index 6e60285a5..672cb29ce 100644
  					"ignoredLints": [
  						"w_ext_subject_key_identifier_missing_sub_cert",
  						"e_dnsname_not_valid_tld"
-@@ -97,7 +99,7 @@
+@@ -92,7 +94,7 @@
  					"includeCRLDistributionPoints": true,
  					"maxValidityPeriod": "583200s",
  					"maxValidityBackdate": "1h5m",
@@ -47,7 +47,7 @@ index 6e60285a5..672cb29ce 100644
  					"ignoredLints": [
  						"w_ext_subject_key_identifier_missing_sub_cert",
  						"e_dnsname_not_valid_tld"
-@@ -107,78 +109,19 @@
+@@ -102,72 +104,17 @@
  			"crlProfile": {
  				"validityInterval": "216h",
  				"maxBackdate": "1h5m",
@@ -59,7 +59,6 @@ index 6e60285a5..672cb29ce 100644
  					"active": true,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-a",
--					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/43104258997432926/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-ecdsa-a.pkcs11.json",
@@ -71,7 +70,6 @@ index 6e60285a5..672cb29ce 100644
 -					"active": true,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-b",
--					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/17302365692836921/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-ecdsa-b.pkcs11.json",
@@ -83,7 +81,6 @@ index 6e60285a5..672cb29ce 100644
 -					"active": false,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-ecdsa-c",
--					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56560759852043581/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-ecdsa-c.pkcs11.json",
@@ -93,10 +90,9 @@ index 6e60285a5..672cb29ce 100644
 -				},
 -				{
 -					"active": true,
+-					"crlShards": 10,
 +					"crlShards": 1,
- 					"crlShards": 10,
  					"issuerURL": "http://ca.example.org:4502/int-rsa-a",
- 					"ocspURL": "http://ca.example.org:4002/",
  					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/29947985078257530/",
  					"location": {
 -						"configFile": "test/certs/webpki/int-rsa-a.pkcs11.json",
@@ -108,7 +104,6 @@ index 6e60285a5..672cb29ce 100644
 -					"active": true,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-rsa-b",
--					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/6762885421992935/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-rsa-b.pkcs11.json",
@@ -120,7 +115,6 @@ index 6e60285a5..672cb29ce 100644
 -					"active": false,
 -					"crlShards": 10,
 -					"issuerURL": "http://ca.example.org:4502/int-rsa-c",
--					"ocspURL": "http://ca.example.org:4002/",
 -					"crlURLBase": "http://ca.example.org:4501/lets-encrypt-crls/56183656833365902/",
 -					"location": {
 -						"configFile": "test/certs/webpki/int-rsa-c.pkcs11.json",
@@ -130,7 +124,7 @@ index 6e60285a5..672cb29ce 100644
  						"numSessions": 2
  					}
  				}
-@@ -190,7 +133,7 @@
+@@ -179,7 +126,7 @@
  		"goodkey": {},
  		"ocspLogMaxLength": 4000,
  		"ocspLogPeriod": "500ms",
@@ -139,7 +133,7 @@ index 6e60285a5..672cb29ce 100644
  		"features": {}
  	},
  	"pa": {
-@@ -205,7 +148,7 @@
+@@ -194,7 +141,7 @@
  		}
  	},
  	"syslog": {
diff --git a/patches/test_health-checker_main.patch b/patches/test_health-checker_main.patch
index 6801790..110ddb7 100644
--- a/patches/test_health-checker_main.patch
+++ b/patches/test_health-checker_main.patch
@@ -1,9 +1,9 @@
 diff --git a/test/health-checker/main.go b/test/health-checker/main.go
-index 0331d59e5..d2f9fbbd9 100644
+index addb669bb..119867d6f 100644
 --- a/test/health-checker/main.go
 +++ b/test/health-checker/main.go
-@@ -56,7 +56,7 @@ func main() {
- 	clk := cmd.Clock()
+@@ -57,7 +57,7 @@ func main() {
+ 	clk := clock.New()
  
  	// Health check retry and timeout.
 -	ticker := time.NewTicker(100 * time.Millisecond)
diff --git a/patches/test_ocsp_helper_helper.patch b/patches/test_ocsp_helper_helper.patch
deleted file mode 100644
index 58bdace..0000000
--- a/patches/test_ocsp_helper_helper.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/test/ocsp/helper/helper.go b/test/ocsp/helper/helper.go
-index 469c8cec1..0b2852330 100644
---- a/test/ocsp/helper/helper.go
-+++ b/test/ocsp/helper/helper.go
-@@ -15,6 +15,7 @@ import (
- 	"net/http"
- 	"net/url"
- 	"os"
-+	"path"
- 	"strings"
- 	"sync"
- 	"time"
-@@ -327,7 +328,7 @@ func sendHTTPRequest(
- 	var httpRequest *http.Request
- 	var err error
- 	if method == "GET" {
--		ocspURL.Path = encodedReq
-+		ocspURL.Path = path.Join(ocspURL.Path, encodedReq)
- 		fmt.Fprintf(output, "Fetching %s\n", ocspURL.String())
- 		httpRequest, err = http.NewRequest("GET", ocspURL.String(), http.NoBody)
- 	} else if method == "POST" {
diff --git a/patches/test_startservers.patch b/patches/test_startservers.patch
index 618b6a6..3d3e1f8 100644
--- a/patches/test_startservers.patch
+++ b/patches/test_startservers.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index 4e2ce1b24..e4645852a 100644
+index 9a46c7db2..df82abbf8 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -86,6 +86,10 @@ SERVICES = (
+@@ -77,6 +77,10 @@ SERVICES = (
          9667, None, None,
          ('./bin/boulder', 'crl-storer', '--config', os.path.join(config_dir, 'crl-storer.json'), '--addr', ':9309', '--debug-addr', ':9667'),
          ('s3-test-srv',)),
diff --git a/patches/wfe2_main.patch b/patches/wfe2_main.patch
index be9f1fb..364a594 100644
--- a/patches/wfe2_main.patch
+++ b/patches/wfe2_main.patch
@@ -1,8 +1,8 @@
 diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
-index 955fe406c..ae127564e 100644
+index cc5930699..8e1a14c3c 100644
 --- a/cmd/boulder-wfe2/main.go
 +++ b/cmd/boulder-wfe2/main.go
-@@ -12,14 +12,17 @@ import (
+@@ -14,14 +14,17 @@ import (
  
  	"github.com/letsencrypt/boulder/cmd"
  	"github.com/letsencrypt/boulder/config"
@@ -20,7 +20,7 @@ index 955fe406c..ae127564e 100644
  	rapb "github.com/letsencrypt/boulder/ra/proto"
  	"github.com/letsencrypt/boulder/ratelimits"
  	bredis "github.com/letsencrypt/boulder/redis"
-@@ -99,7 +102,7 @@ type Config struct {
+@@ -101,7 +104,7 @@ type Config struct {
  		// DirectoryCAAIdentity is used for the /directory response's "meta"
  		// element's "caaIdentities" field. It should match the VA's "issuerDomain"
  		// configuration value (this value is the one used to enforce CAA)
@@ -29,7 +29,7 @@ index 955fe406c..ae127564e 100644
  		// DirectoryWebsite is used for the /directory response's "meta" element's
  		// "website" field.
  		DirectoryWebsite string `validate:"required,url"`
-@@ -180,6 +183,8 @@ type Config struct {
+@@ -182,6 +185,8 @@ type Config struct {
  			// to enable the pausing feature.
  			URL string `validate:"omitempty,required_with=HMACKey JWTLifetime,url,startswith=https://,endsnotwith=/"`
  		}
@@ -38,7 +38,7 @@ index 955fe406c..ae127564e 100644
  	}
  
  	Syslog        cmd.SyslogConfig
-@@ -324,11 +329,25 @@ func main() {
+@@ -326,11 +331,25 @@ func main() {
  	var limiter *ratelimits.Limiter
  	var txnBuilder *ratelimits.TransactionBuilder
  	var limiterRedis *bredis.Ring
@@ -64,7 +64,7 @@ index 955fe406c..ae127564e 100644
  		source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats)
  		limiter, err = ratelimits.NewLimiter(clk, source, stats)
  		cmd.FailOnError(err, "Failed to create rate limiter")
-@@ -369,6 +388,7 @@ func main() {
+@@ -371,6 +390,7 @@ func main() {
  		unpauseSigner,
  		c.WFE.Unpause.JWTLifetime.Duration,
  		c.WFE.Unpause.URL,
diff --git a/patches/wfe2_wfe.patch b/patches/wfe2_wfe.patch
index eb822d6..a02cb21 100644
--- a/patches/wfe2_wfe.patch
+++ b/patches/wfe2_wfe.patch
@@ -1,5 +1,5 @@
 diff --git a/wfe2/wfe.go b/wfe2/wfe.go
-index 891d165b6..1a4fda298 100644
+index c225c56f3..294ec463f 100644
 --- a/wfe2/wfe.go
 +++ b/wfe2/wfe.go
 @@ -166,6 +166,8 @@ type WebFrontEndImpl struct {
@@ -38,7 +38,7 @@ index 891d165b6..1a4fda298 100644
  	}
  
  	return wfe, nil
-@@ -678,7 +686,7 @@ func (wfe *WebFrontEndImpl) contactsToEmails(contacts []string) ([]string, error
+@@ -679,7 +687,7 @@ func (wfe *WebFrontEndImpl) contactsToEmails(contacts []string) ([]string, error
  			return nil, berrors.InvalidEmailError("contact email contains non-ASCII characters")
  		}
  
@@ -47,7 +47,7 @@ index 891d165b6..1a4fda298 100644
  		if err != nil {
  			return nil, err
  		}
-@@ -2299,7 +2307,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
+@@ -2329,7 +2337,7 @@ func (wfe *WebFrontEndImpl) NewOrder(
  	idents = identifier.Normalize(idents)
  	logEvent.Identifiers = idents
  
diff --git a/utils.sh b/utils.sh
index 65870a9..73f9c80 100644
--- a/utils.sh
+++ b/utils.sh
@@ -4,7 +4,7 @@ set -e
 
 export PS_LABCA="bin/labca-gui"
 export PS_BOULDER="bin/boulder"
-export PS_BOULDER_COUNT=27
+export PS_BOULDER_COUNT=26
 export PS_MYSQL="mysqld"
 export PS_CONTROL="tcpserver"
 export PS_NGINX="nginx:"