diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e6a1997..1afc379 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
       fail-fast: false
       matrix:
         GO_VERSION:
-          - 1.21.5
+          - 1.22.1
 
     steps:
       - name: Checkout
diff --git a/build/Dockerfile-boulder b/build/Dockerfile-boulder
index a2d9a91..0e32782 100644
--- a/build/Dockerfile-boulder
+++ b/build/Dockerfile-boulder
@@ -1,4 +1,4 @@
-FROM letsencrypt/boulder-tools:go1.21.5_2024-02-14 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.22.1_2024-03-05 AS boulder-tools
 
 FROM ubuntu:focal
 
diff --git a/build/build.sh b/build/build.sh
index a1de0ac..97b72ac 100755
--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}
 
 boulderDir=$TMP_DIR/src
-boulderTag="release-2024-02-26"
+boulderTag="release-2024-04-01"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..
 
diff --git a/build/docker-compose.yml b/build/docker-compose.yml
index e3389ca..169ded3 100644
--- a/build/docker-compose.yml
+++ b/build/docker-compose.yml
@@ -8,9 +8,9 @@ services:
     image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
     build:
       context: test/boulder-tools/
-      # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
+      # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
       args:
-        GO_VERSION: 1.21.5
+        GO_VERSION: 1.22.1
     environment:
       # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
       # to the IP address where your ACME client's solver is listening.
diff --git a/build/tmp.patch b/build/tmp.patch
index 04b3de2..06131f1 100644
--- a/build/tmp.patch
+++ b/build/tmp.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 423aed0ff..e3389ca21 100644
+index a6d1db857..169ded339 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -5,7 +5,7 @@ services:
@@ -10,7 +10,7 @@ index 423aed0ff..e3389ca21 100644
 +    image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest}
      build:
        context: test/boulder-tools/
-       # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
+       # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
 @@ -22,12 +22,9 @@ services:
        # Forward the parent env's GOEXPERIMENT value into the container.
        GOEXPERIMENT: ${GOEXPERIMENT:-}
diff --git a/install b/install
index 7535834..146c0e3 100755
--- a/install
+++ b/install
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2024-02-26"
+boulderTag="release-2024-04-01"
 
 # Feature flags
 flag_skip_redis=true
diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch
index 6f68eaf..81cc396 100644
--- a/patches/docker-compose.patch
+++ b/patches/docker-compose.patch
@@ -1,5 +1,5 @@
 diff --git a/docker-compose.yml b/docker-compose.yml
-index 0d59c1228..85791692b 100644
+index 8971dbdb4..a6d1db857 100644
 --- a/docker-compose.yml
 +++ b/docker-compose.yml
 @@ -1,10 +1,11 @@
@@ -14,7 +14,7 @@ index 0d59c1228..85791692b 100644
 +    image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-latest}
      build:
        context: test/boulder-tools/
-       # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh.
+       # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
 @@ -15,13 +16,15 @@ services:
        # to the IP address where your ACME client's solver is listening.
        # FAKE_DNS: 172.17.0.1
@@ -102,10 +102,14 @@ index 0d59c1228..85791692b 100644
          ipv4_address: 10.77.77.10
      command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 +    restart: always
-+
+ 
+-  bjaeger:
+-    image: jaegertracing/all-in-one:1.50
 +  gui:
 +    image: *boulder_image
-+    networks:
+     networks:
+-      bouldernet:
+-        ipv4_address: 10.77.77.17
 +      - bouldernet
 +    volumes:
 +      - /var/run/docker.sock:/var/run/docker.sock
@@ -127,15 +131,11 @@ index 0d59c1228..85791692b 100644
 +        max-size: "500k"
 +        max-file: "5"
 +    restart: always
- 
--  bjaeger:
--    image: jaegertracing/all-in-one:1.50
++
 +  nginx:
 +    image: nginx:1.25.4
 +    restart: always
-     networks:
--      bouldernet:
--        ipv4_address: 10.77.77.17
++    networks:
 +      - bouldernet
 +    ports:
 +      - 80:80
diff --git a/patches/errors_errors.patch b/patches/errors_errors.patch
index 6cd651f..d0c6129 100644
--- a/patches/errors_errors.patch
+++ b/patches/errors_errors.patch
@@ -1,8 +1,8 @@
 diff --git a/errors/errors.go b/errors/errors.go
-index 206857bd..9b185064 100644
+index d7328b08d..00bd834d8 100644
 --- a/errors/errors.go
 +++ b/errors/errors.go
-@@ -168,10 +168,10 @@ func NotFoundError(msg string, args ...interface{}) error {
+@@ -171,10 +171,10 @@ func NotFoundError(msg string, args ...interface{}) error {
  	return New(NotFound, msg, args...)
  }
  
diff --git a/patches/issuance_crl.patch b/patches/issuance_crl.patch
index ee89fe2..b3acb5f 100644
--- a/patches/issuance_crl.patch
+++ b/patches/issuance_crl.patch
@@ -1,13 +1,13 @@
 diff --git a/issuance/crl.go b/issuance/crl.go
-index 2f36d695c..c9c2a6548 100644
+index 9f9619ff1..f0a180a6f 100644
 --- a/issuance/crl.go
 +++ b/issuance/crl.go
-@@ -90,7 +90,7 @@ func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error) {
+@@ -91,7 +91,7 @@ func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error) {
  	if req.DeprecatedIDPBaseURL != "" {
  		// TODO(#7296): Remove this fallback once CCADB and all non-expired certs
  		// contain the new-style CRLDP URL instead.
 -		idps = append(idps, fmt.Sprintf("%s/%d/%d.crl", req.DeprecatedIDPBaseURL, i.NameID(), req.Shard))
 +		idps = append(idps, fmt.Sprintf("%s/%d.crl", req.DeprecatedIDPBaseURL, i.NameID()))
  	}
- 	idp, err := makeIDPExt(idps)
+ 	idp, err := idp.MakeUserCertsExt(idps)
  	if err != nil {
diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch
index 36867bd..321cbbd 100644
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 7c62ad078..21bc601b4 100644
+index ea609da8f..2ad0fb2a6 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
 @@ -43,7 +43,6 @@ import (
@@ -10,7 +10,7 @@ index 7c62ad078..21bc601b4 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -555,7 +554,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -561,7 +560,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
  				contact,
  			)
  		}
diff --git a/patches/ratelimits_names.patch b/patches/ratelimits_names.patch
index d580f26..8f6669a 100644
--- a/patches/ratelimits_names.patch
+++ b/patches/ratelimits_names.patch
@@ -1,8 +1,8 @@
 diff --git a/ratelimits/names.go b/ratelimits/names.go
-index 4a541d1e6..433aaa522 100644
+index c92970498..f4d6c282b 100644
 --- a/ratelimits/names.go
 +++ b/ratelimits/names.go
-@@ -145,7 +145,11 @@ func validateRegId(id string) error {
+@@ -148,7 +148,11 @@ func validateRegId(id string) error {
  // validateDomain validates that the provided string is formatted 'domain',
  // where domain is a domain name.
  func validateDomain(id string) error {
@@ -15,7 +15,7 @@ index 4a541d1e6..433aaa522 100644
  	if err != nil {
  		return fmt.Errorf("invalid domain, %q must be formatted 'domain': %w", id, err)
  	}
-@@ -166,7 +170,11 @@ func validateRegIdDomain(id string) error {
+@@ -169,7 +173,11 @@ func validateRegIdDomain(id string) error {
  		return fmt.Errorf(
  			"invalid regId, %q must be formatted 'regId:domain'", id)
  	}
@@ -28,7 +28,7 @@ index 4a541d1e6..433aaa522 100644
  	if err != nil {
  		return fmt.Errorf(
  			"invalid domain, %q must be formatted 'regId:domain': %w", id, err)
-@@ -182,8 +190,12 @@ func validateFQDNSet(id string) error {
+@@ -185,8 +193,12 @@ func validateFQDNSet(id string) error {
  		return fmt.Errorf(
  			"invalid fqdnSet, %q must be formatted 'fqdnSet'", id)
  	}
diff --git a/patches/storer_storer.patch b/patches/storer_storer.patch
index c790ab9..ec6e763 100644
--- a/patches/storer_storer.patch
+++ b/patches/storer_storer.patch
@@ -1,8 +1,8 @@
 diff --git a/crl/storer/storer.go b/crl/storer/storer.go
-index 296852415..00dc7da90 100644
+index 10b1753c7..2cbc2eb17 100644
 --- a/crl/storer/storer.go
 +++ b/crl/storer/storer.go
-@@ -11,7 +11,11 @@ import (
+@@ -9,8 +9,12 @@ import (
  	"errors"
  	"fmt"
  	"io"
@@ -10,6 +10,7 @@ index 296852415..00dc7da90 100644
  	"math/big"
 +	"os"
 +	"path/filepath"
+ 	"slices"
 +	"sort"
  	"time"
  
@@ -38,7 +39,7 @@ index 296852415..00dc7da90 100644
  		uploadCount:      uploadCount,
  		sizeHistogram:    sizeHistogram,
  		latencyHistogram: latencyHistogram,
-@@ -203,15 +210,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
+@@ -218,15 +225,19 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
  	checksum := sha256.Sum256(crlBytes)
  	checksumb64 := base64.StdEncoding.EncodeToString(checksum[:])
  	crlContentType := "application/pkix-crl"
@@ -67,9 +68,9 @@ index 296852415..00dc7da90 100644
  
  	latency := cs.clk.Now().Sub(start)
  	cs.latencyHistogram.WithLabelValues(issuer.Subject.CommonName).Observe(latency.Seconds())
-@@ -240,3 +251,46 @@ func getIDPExt(exts []pkix.Extension) []byte {
- 	}
- 	return nil
+@@ -245,3 +256,46 @@ func (cs *crlStorer) UploadCRL(stream cspb.CRLStorer_UploadCRLServer) error {
+ 
+ 	return stream.SendAndClose(&emptypb.Empty{})
  }
 +
 +func storeLocalFile(path string, nameID issuance.NameID, crlNumber *big.Int, shardIdx int64, crlBytes io.Reader) error {