Bump boulder version to v0.20251021.0

2026-01-27 10:19:34 +00:00 · 2025-11-09 17:03:16 +01:00
parent ac119fb82b
commit e808b18d2a
24 changed files with 71 additions and 94 deletions
--- a/.github/workflows/build-standalone.yml
+++ b/.github/workflows/build-standalone.yml
@@ -17,7 +17,7 @@ jobs:
      fail-fast: false
      matrix:
        GO_VERSION:
-          - 1.25.0
+          - 1.25.2

    steps:
      - name: Checkout
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -20,7 +20,7 @@ jobs:
      fail-fast: false
      matrix:
        GO_VERSION:
-          - 1.25.0
+          - 1.25.2

    steps:
      - uses: actions/checkout@v5
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,7 @@ jobs:
      fail-fast: false
      matrix:
        GO_VERSION:
-          - 1.25.0
+          - 1.25.2

    steps:
      - name: Checkout
--- a/build/Dockerfile-boulder
+++ b/build/Dockerfile-boulder
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM letsencrypt/boulder-tools:go1.25.0_2025-08-15 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.25.2_2025-10-07 AS boulder-tools

 FROM ubuntu:noble

--- a/build/Dockerfile-control
+++ b/build/Dockerfile-control
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM letsencrypt/boulder-tools:go1.25.0_2025-08-15 AS boulder-tools
+FROM letsencrypt/boulder-tools:go1.25.2_2025-10-07 AS boulder-tools

 FROM ubuntu:noble AS builder

--- a/build/build.sh
+++ b/build/build.sh
@@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp
 rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src}

 boulderDir=$TMP_DIR/src
-boulderTag="v0.20250908.0"
+boulderTag="v0.20251021.0"
 boulderUrl="https://github.com/letsencrypt/boulder/"
 cloneDir=$(pwd)/..

--- a/build/docker-compose.yml
+++ b/build/docker-compose.yml
@@ -9,7 +9,7 @@ services:
      context: test/boulder-tools/
      # Should match one of the GO_CI_VERSIONS in test/boulder-tools/tag_and_upload.sh.
      args:
-        GO_VERSION: 1.25.0
+        GO_VERSION: 1.25.2
    environment:
      # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS
      # to the IP address where your ACME client's solver is listening. This is
@@ -222,7 +222,7 @@ networks:
  # validate and issue for it. It is used by challtestsrv, which binds to
  # 64.112.117.122:80 and :443 for its HTTP-01 challenge responder.
  #
-  # TODO(#8215): Put akamai-test-srv and s3-test-srv on this network.
+  # TODO(#8215): Put s3-test-srv on this network.
  publicnet:
    driver: bridge
    ipam:
--- a/build/tmp2.patch
+++ b/build/tmp2.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index df82abbf8..08720c37e 100644
+index b1e7253a2..7df345767 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -186,6 +186,9 @@ processes = []
+@@ -179,6 +179,9 @@ processes = []
 challSrvProcess = None
 
 def install(race_detection, coverage=False):
--- a/gui/apply-boulder
+++ b/gui/apply-boulder
@@ -177,8 +177,6 @@ else
 fi
 sed -i -e "s/\"timeout\": \"1s\"/\"timeout\": \"5s\"/" config/health-checker.json

-sed -i -e "s/\"purgeInterval\": \".*\"/\"purgeInterval\": \"1s\"/" config/akamai-purger.json
-
 for fl in $(grep -Rl maxOpenConns config/); do
    set +e
    m=$(grep "connMaxIdleTime" $fl)
--- a/2
+++ b/2
@@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0"

 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="v0.20250908.0"
+boulderTag="v0.20251021.0"

 #
 # Color configuration
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -21,7 +21,6 @@ $SUDO patch -p1 -o "$boulderLabCADir/config/crl-storer.json" < $cloneDir/patches
 $SUDO patch -p1 -o "$boulderLabCADir/config/crl-updater.json" < $cloneDir/patches/config_crl-updater.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/ca.json" < $cloneDir/patches/test_config_ca.patch
 $SUDO patch -p1 -o "$boulderLabCADir/config/ra.json" < $cloneDir/patches/config_ra.patch
-$SUDO patch -p1 -o "$boulderLabCADir/config/akamai-purger.json" < $cloneDir/patches/config_akamai-purger.patch
 $SUDO patch -p1 -o "$boulderLabCADir/certs/generate.sh" < $cloneDir/patches/test_certs_generate.patch
 chmod +x $boulderLabCADir/certs/generate.sh

--- a/patches/ca_ca.patch
+++ b/patches/ca_ca.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index 4f5c863e0..8e4d57233 100644
+index 3b33991eb..b63f6a143 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -170,10 +170,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -164,10 +164,10 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 		}
 	}
 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
--- a/patches/ca_ca_keytype_hack.patch
+++ b/patches/ca_ca_keytype_hack.patch
@@ -1,8 +1,8 @@
 diff --git a/ca/ca.go b/ca/ca.go
-index 8e4d57233..8a95367ac 100644
+index b63f6a143..2ab73db94 100644
 --- a/ca/ca.go
 +++ b/ca/ca.go
-@@ -170,10 +170,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
+@@ -164,10 +164,14 @@ func makeIssuerMaps(issuers []*issuance.Issuer) (issuerMaps, error) {
 		}
 	}
 	if i, ok := issuersByAlg[x509.ECDSA]; !ok || len(i) == 0 {
--- a/patches/ceremony_main.patch
+++ b/patches/ceremony_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/ceremony/main.go b/cmd/ceremony/main.go
-index 1a2cde645..193d7e325 100644
+index c075c6615..9f51130b0 100644
 --- a/cmd/ceremony/main.go
 +++ b/cmd/ceremony/main.go
@@ -98,6 +98,7 @@ type keyGenConfig struct {
@@ -33,7 +33,7 @@ index 1a2cde645..193d7e325 100644
 	}
 	err = checkOutputFile(rc.Outputs.CertificatePath, "certificate-path")
 	if err != nil {
-@@ -630,23 +634,42 @@ func rootCeremony(configBytes []byte) error {
+@@ -577,23 +581,42 @@ func rootCeremony(configBytes []byte) error {
 		return fmt.Errorf("failed to setup session and PKCS#11 context for slot %d: %s", config.PKCS11.StoreSlot, err)
 	}
 	log.Printf("Opened PKCS#11 session for slot %d\n", config.PKCS11.StoreSlot)
--- a/patches/config_akamai-purger.patch
+++ b/patches/config_akamai-purger.patch
@@ -1,21 +0,0 @@
-diff --git a/test/config/akamai-purger.json b/test/config/akamai-purger.json
-index 62c5b4cc9..2c39d70cb 100644
--- a/test/config/akamai-purger.json
-+++ b/test/config/akamai-purger.json
-@@ -9,9 +9,13 @@
- 		"accessToken": "idk-how-this-is-different-from-client-token-but-okay",
- 		"v3Network": "staging",
- 		"tls": {
-			"caCertfile": "test/certs/ipki/minica.pem",
-			"certFile": "test/certs/ipki/akamai-purger.boulder/cert.pem",
-			"keyFile": "test/certs/ipki/akamai-purger.boulder/key.pem"
-+			"caCertfile": "labca/certs/ipki/minica.pem",
-+			"certFile": "labca/certs/ipki/akamai-purger.boulder/cert.pem",
-+			"keyFile": "labca/certs/ipki/akamai-purger.boulder/key.pem"
-+		},
-+		"throughput": {
-+			"queueEntriesPerBatch": 5,
-+			"purgeBatchInterval": "5m"
- 		},
- 		"grpc": {
- 			"address": ":9099",
--- a/patches/config_ra.patch
+++ b/patches/config_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/test/config/ra.json b/test/config/ra.json
-index 1cecd4772..39b9f6284 100644
+index b2dcd15eb..3e8d5af59 100644
 --- a/test/config/ra.json
 +++ b/test/config/ra.json
@@ -3,7 +3,8 @@
@@ -58,7 +58,7 @@ index 1cecd4772..39b9f6284 100644
 		},
 		"vaService": {
 			"dnsAuthority": "consul.service.consul",
-@@ -153,7 +149,7 @@
+@@ -143,7 +139,7 @@
 		},
 		"ctLogs": {
 			"stagger": "500ms",
--- a/patches/issuance_issuer.patch
+++ b/patches/issuance_issuer.patch
@@ -1,5 +1,5 @@
 diff --git a/issuance/issuer.go b/issuance/issuer.go
-index e89143ea0..f0015706e 100644
+index 1c8b7ed1f..c21910db2 100644
 --- a/issuance/issuer.go
 +++ b/issuance/issuer.go
@@ -128,8 +128,8 @@ func LoadChain(certFiles []string) ([]*Certificate, error) {
@@ -13,8 +13,8 @@ index e89143ea0..f0015706e 100644
 			lastCert.Subject, certFiles[len(certFiles)-1], err)
 	}
 
-@@ -149,7 +149,7 @@ type IssuerConfig struct {
- 	Active bool
+@@ -154,7 +154,7 @@ type IssuerConfig struct {
+ 	Profiles []string `validate:"omitempty,dive,alphanum,min=1,max=32"`
 
 	IssuerURL  string `validate:"required,url"`
 -	CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"`
@@ -22,13 +22,13 @@ index e89143ea0..f0015706e 100644
 
 	// TODO(#8177): Remove this.
 	OCSPURL string `validate:"omitempty,url"`
-@@ -236,9 +236,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
+@@ -239,9 +239,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
 	if !strings.HasPrefix(config.CRLURLBase, "http://") {
 		return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase)
 	}
 -	if !strings.HasSuffix(config.CRLURLBase, "/") {
 -		return nil, fmt.Errorf("crlURLBase must end with exactly one forward slash, got %q", config.CRLURLBase)
 -	}
- 
- 	// We require that all of our issuers be capable of both issuing certs and
- 	// providing revocation information.
+ 	if config.CRLShards <= 0 {
+ 		return nil, errors.New("Number of CRL shards is required")
+ 	}
--- a/patches/log_validator_validator.patch
+++ b/patches/log_validator_validator.patch
@@ -1,15 +1,16 @@
 diff --git a/log/validator/validator.go b/log/validator/validator.go
-index a73330cb3..a5a752063 100644
+index 6b02f83ae..4b066b44a 100644
 --- a/log/validator/validator.go
 +++ b/log/validator/validator.go
-@@ -203,8 +203,8 @@ func lineValid(text string) error {
+@@ -203,9 +203,9 @@ func lineValid(text string) error {
 	if strings.Contains(text, errorPrefix) {
 		return nil
 	}
 -	// Check the extracted checksum against the computed checksum
-	if computedChecksum := log.LogLineChecksum(line); checksum != computedChecksum {
 +	// Check the extracted checksum against the computed checksum, but ignore "message repeated X times" lines
-+	if computedChecksum := log.LogLineChecksum(line); checksum != computedChecksum && checksum != "message" {
+ 	computedChecksum := log.LogLineChecksum(line)
+-	if checksum != computedChecksum {
+	if checksum != computedChecksum && checksum != "message" {
 		return fmt.Errorf("%s invalid checksum (expected %q, got %q)", errorPrefix, computedChecksum, checksum)
 	}
 	return nil
--- a/patches/policy_pa.patch
+++ b/patches/policy_pa.patch
@@ -1,8 +1,8 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index 961b67cb6..4e0ea33f6 100644
+index ab17bd89d..52866ef83 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
-@@ -31,6 +31,9 @@ type AuthorityImpl struct {
+@@ -32,6 +32,9 @@ type AuthorityImpl struct {
 	domainBlocklist       map[string]bool
 	fqdnBlocklist         map[string]bool
 	wildcardFqdnBlocklist map[string]bool
@@ -12,7 +12,7 @@ index 961b67cb6..4e0ea33f6 100644
 	ipPrefixBlocklist     []netip.Prefix
 	blocklistMu           sync.RWMutex
 
-@@ -72,6 +75,10 @@ type blockedIdentsPolicy struct {
+@@ -73,6 +76,10 @@ type blockedIdentsPolicy struct {
 	// AdminBlockedPrefixes is a list of IP address prefixes. All IP addresses
 	// contained within the prefix are blocked.
 	AdminBlockedPrefixes []string `yaml:"AdminBlockedPrefixes"`
@@ -23,7 +23,7 @@ index 961b67cb6..4e0ea33f6 100644
 }
 
 // LoadIdentPolicyFile will load the given policy file, returning an error if it
-@@ -143,11 +150,23 @@ func (pa *AuthorityImpl) processIdentPolicy(policy blockedIdentsPolicy) error {
+@@ -144,11 +151,23 @@ func (pa *AuthorityImpl) processIdentPolicy(policy blockedIdentsPolicy) error {
 		prefixes = append(prefixes, prefix)
 	}
 
@@ -47,7 +47,7 @@ index 961b67cb6..4e0ea33f6 100644
 	pa.blocklistMu.Unlock()
 	return nil
 }
-@@ -218,7 +237,7 @@ var (
+@@ -219,7 +238,7 @@ var (
 //   - exactly equal to an IANA registered TLD
 //
 // It does NOT ensure that the domain is absent from any PA blocked lists.
@@ -56,7 +56,7 @@ index 961b67cb6..4e0ea33f6 100644
 	if domain == "" {
 		return errEmptyIdentifier
 	}
-@@ -251,7 +270,9 @@ func validNonWildcardDomain(domain string) error {
+@@ -252,7 +271,9 @@ func validNonWildcardDomain(domain string) error {
 		return errTooManyLabels
 	}
 	if len(labels) < 2 {
@@ -67,7 +67,7 @@ index 961b67cb6..4e0ea33f6 100644
 	}
 	for _, label := range labels {
 		// Check that this is a valid LDH Label: "A string consisting of ASCII
-@@ -295,12 +316,17 @@ func validNonWildcardDomain(domain string) error {
+@@ -296,12 +317,17 @@ func validNonWildcardDomain(domain string) error {
 		}
 	}
 
@@ -89,7 +89,7 @@ index 961b67cb6..4e0ea33f6 100644
 		return errICANNTLD
 	}
 
-@@ -310,9 +336,9 @@ func validNonWildcardDomain(domain string) error {
+@@ -311,9 +337,9 @@ func validNonWildcardDomain(domain string) error {
 // ValidDomain checks that a domain is valid and that it doesn't contain any
 // invalid wildcard characters. It does NOT ensure that the domain is absent
 // from any PA blocked lists.
@@ -101,7 +101,7 @@ index 961b67cb6..4e0ea33f6 100644
 	}
 
 	// Names containing more than one wildcard are invalid.
-@@ -331,7 +357,7 @@ func ValidDomain(domain string) error {
+@@ -332,7 +358,7 @@ func ValidDomain(domain string) error {
 
 	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
 	icannTLD, err := iana.ExtractSuffix(baseDomain)
@@ -110,7 +110,7 @@ index 961b67cb6..4e0ea33f6 100644
 		return errNonPublic
 	}
 	// Names must have a non-wildcard label immediately adjacent to the ICANN
-@@ -339,7 +365,7 @@ func ValidDomain(domain string) error {
+@@ -340,7 +366,7 @@ func ValidDomain(domain string) error {
 	if baseDomain == icannTLD {
 		return errICANNTLDWildcard
 	}
@@ -119,7 +119,7 @@ index 961b67cb6..4e0ea33f6 100644
 }
 
 // ValidIP checks that an IP address:
-@@ -382,14 +408,14 @@ var forbiddenMailDomains = map[string]bool{
+@@ -383,14 +409,14 @@ var forbiddenMailDomains = map[string]bool{
 // ValidEmail returns an error if the input doesn't parse as an email address,
 // the domain isn't a valid hostname in Preferred Name Syntax, or its on the
 // list of domains forbidden for mail (because they are often used in examples).
@@ -136,7 +136,7 @@ index 961b67cb6..4e0ea33f6 100644
 	if err != nil {
 		return berrors.InvalidEmailError("contact email has invalid domain: %s", err)
 	}
-@@ -431,7 +457,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro
+@@ -432,7 +458,7 @@ func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderErro
 //
 // Precondition: all input identifier values must be in lowercase.
 func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error {
@@ -145,7 +145,7 @@ index 961b67cb6..4e0ea33f6 100644
 	if err != nil {
 		return err
 	}
-@@ -448,6 +474,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error
+@@ -449,6 +475,10 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error
 			// The base domain is the wildcard request with the `*.` prefix removed
 			baseDomain := strings.TrimPrefix(ident.Value, "*.")
 
@@ -156,7 +156,7 @@ index 961b67cb6..4e0ea33f6 100644
 			// The base domain can't be in the wildcard exact blocklist
 			err = pa.checkWildcardBlocklist(baseDomain)
 			if err != nil {
-@@ -496,12 +526,12 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error
+@@ -497,12 +527,12 @@ func (pa *AuthorityImpl) WillingToIssue(idents identifier.ACMEIdentifiers) error
 //
 // If multiple identifiers are invalid, the error will contain suberrors
 // specific to each identifier.
@@ -171,7 +171,7 @@ index 961b67cb6..4e0ea33f6 100644
 			if err != nil {
 				subErrors = append(subErrors, subError(ident, err))
 			}
-@@ -543,6 +573,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
+@@ -544,6 +574,34 @@ func combineSubErrors(subErrors []berrors.SubBoulderError) error {
 	return nil
 }
 
@@ -206,7 +206,7 @@ index 961b67cb6..4e0ea33f6 100644
 // checkWildcardBlocklist checks the wildcardExactBlocklist for a given domain.
 // If the domain is not present on the list nil is returned, otherwise
 // errPolicyForbidden is returned.
-@@ -574,6 +632,9 @@ func (pa *AuthorityImpl) checkBlocklists(ident identifier.ACMEIdentifier) error
+@@ -575,6 +633,9 @@ func (pa *AuthorityImpl) checkBlocklists(ident identifier.ACMEIdentifier) error
 		labels := strings.Split(ident.Value, ".")
 		for i := range labels {
 			joined := strings.Join(labels[i:], ".")
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,8 +1,8 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index ad3c496de..b676be83a 100644
+index 54e51cce5..af96bb245 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -42,7 +42,6 @@ import (
+@@ -41,7 +41,6 @@ import (
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
@@ -10,7 +10,7 @@ index ad3c496de..b676be83a 100644
 	"github.com/letsencrypt/boulder/probs"
 	pubpb "github.com/letsencrypt/boulder/publisher/proto"
 	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -568,7 +567,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
+@@ -567,7 +566,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error {
 		if !core.IsASCII(contact) {
 			return berrors.InvalidEmailError("contact email contains non-ASCII characters")
 		}
@@ -19,7 +19,7 @@ index ad3c496de..b676be83a 100644
 		if err != nil {
 			return err
 		}
-@@ -1854,6 +1853,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
+@@ -1850,6 +1849,9 @@ func crlShard(cert *x509.Certificate) (int64, error) {
 		return 0, fmt.Errorf("malformed CRLDistributionPoint %q", url)
 	}
 	shardStr := url[lastIndex+1:]
--- a/patches/sfe_overrides.patch
+++ b/patches/sfe_overrides.patch
@@ -1,8 +1,8 @@
 diff --git a/sfe/overrides.go b/sfe/overrides.go
-index e48c087a9..644371825 100644
+index e313f27b7..28b024373 100644
 --- a/sfe/overrides.go
 +++ b/sfe/overrides.go
-@@ -14,6 +14,7 @@ import (
+@@ -15,6 +15,7 @@ import (
 	emailpb "github.com/letsencrypt/boulder/email/proto"
 	berrors "github.com/letsencrypt/boulder/errors"
 	"github.com/letsencrypt/boulder/iana"
@@ -10,7 +10,7 @@ index e48c087a9..644371825 100644
 	"github.com/letsencrypt/boulder/policy"
 	rl "github.com/letsencrypt/boulder/ratelimits"
 	"github.com/letsencrypt/boulder/sfe/forms"
-@@ -362,7 +363,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error
+@@ -346,7 +347,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error
 		return nil
 
 	case emailAddressFieldName:
@@ -23,7 +23,7 @@ index e48c087a9..644371825 100644
 		if err == nil {
 			return nil
 		}
-@@ -388,7 +393,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error
+@@ -372,7 +377,11 @@ func validateOverrideRequestField(fieldName, fieldValue, rateLimit string) error
 		return fmt.Errorf("IP address is invalid")
 
 	case RegisteredDomainFieldName:
--- a/patches/test_startservers.patch
+++ b/patches/test_startservers.patch
@@ -1,8 +1,8 @@
 diff --git a/test/startservers.py b/test/startservers.py
-index 9a46c7db2..df82abbf8 100644
+index c045ff280..b1e7253a2 100644
 --- a/test/startservers.py
 +++ b/test/startservers.py
-@@ -77,6 +77,10 @@ SERVICES = (
+@@ -69,6 +69,10 @@ SERVICES = (
         9667, None, None,
         ('./bin/boulder', 'crl-storer', '--config', os.path.join(config_dir, 'crl-storer.json'), '--addr', ':9309', '--debug-addr', ':9667'),
         ('s3-test-srv',)),
--- a/patches/updater_updater.patch
+++ b/patches/updater_updater.patch
@@ -1,8 +1,8 @@
 diff --git a/crl/updater/updater.go b/crl/updater/updater.go
-index 600b17f22..bef3305b3 100644
+index 9020c6c62..09b31f88a 100644
 --- a/crl/updater/updater.go
 +++ b/crl/updater/updater.go
-@@ -80,7 +80,7 @@ func NewUpdater(
+@@ -72,7 +72,7 @@ func NewUpdater(
 		return nil, fmt.Errorf("must have positive number of shards, got: %d", numShards)
 	}
 
@@ -11,12 +11,12 @@ index 600b17f22..bef3305b3 100644
 		return nil, fmt.Errorf("must update CRLs at least every 24 hours, got: %s", updatePeriod)
 	}
 
-@@ -307,7 +307,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
- 			return fmt.Errorf("streaming GetRevokedCerts: %w", err)
- 		}
- 
-		cu.log.Infof(
-+		cu.log.Debugf(
- 			"Queried SA for CRL shard: id=[%s] expiresAfter=[%s] expiresBefore=[%s] numEntries=[%d]",
- 			crlID, chunk.start, chunk.end, n)
+@@ -229,7 +229,7 @@ func (cu *crlUpdater) updateShard(ctx context.Context, atTime time.Time, issuerN
+ 		crlEntries = append(crlEntries, entry)
 	}
+ 
+-	cu.log.Infof("Queried SA for CRL shard: id=[%s] shardIdx=[%d] numEntries=[%d]", crlID, shardIdx, len(crlEntries))
+	cu.log.Debugf("Queried SA for CRL shard: id=[%s] shardIdx=[%d] numEntries=[%d]", crlID, shardIdx, len(crlEntries))
+ 
+ 	// Send the full list of CRL Entries to the CA.
+ 	caStream, err := cu.ca.GenerateCRL(ctx)
--- a/patches/va_va.patch
+++ b/patches/va_va.patch
@@ -1,8 +1,8 @@
 diff --git a/va/va.go b/va/va.go
-index 4307e57b4..c63b2dea8 100644
+index 4993aec36..161cbacda 100644
 --- a/va/va.go
 +++ b/va/va.go
-@@ -218,6 +218,7 @@ type ValidationAuthorityImpl struct {
+@@ -219,6 +219,7 @@ type ValidationAuthorityImpl struct {
 	perspective        string
 	rir                string
 	isReservedIPFunc   func(netip.Addr) error
@@ -10,7 +10,7 @@ index 4307e57b4..c63b2dea8 100644
 
 	metrics *vaMetrics
 }
-@@ -238,6 +239,7 @@ func NewValidationAuthorityImpl(
+@@ -239,6 +240,7 @@ func NewValidationAuthorityImpl(
 	perspective string,
 	rir string,
 	reservedIPChecker func(netip.Addr) error,
@@ -18,7 +18,7 @@ index 4307e57b4..c63b2dea8 100644
 ) (*ValidationAuthorityImpl, error) {
 
 	if len(accountURIPrefixes) == 0 {
-@@ -275,6 +277,7 @@ func NewValidationAuthorityImpl(
+@@ -276,6 +278,7 @@ func NewValidationAuthorityImpl(
 		perspective:       perspective,
 		rir:               rir,
 		isReservedIPFunc:  reservedIPChecker,