diff --git a/install b/install
index b6ffb70..9f494a3 100755
--- a/install
+++ b/install
@@ -24,7 +24,7 @@ dockerComposeVersion="1.28.5"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2021-08-02"
+boulderTag="release-2021-08-31"
 
 #
 # Color configuration
diff --git a/patches/bad-key-revoker_main.patch b/patches/bad-key-revoker_main.patch
index 9795b52..72f6fc8 100644
--- a/patches/bad-key-revoker_main.patch
+++ b/patches/bad-key-revoker_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/bad-key-revoker/main.go b/cmd/bad-key-revoker/main.go
-index 2d6d17f16..e09948cfc 100644
+index 3f3a953d3..c02b4dfc1 100644
 --- a/cmd/bad-key-revoker/main.go
 +++ b/cmd/bad-key-revoker/main.go
 @@ -15,6 +15,7 @@ import (
@@ -10,7 +10,7 @@ index 2d6d17f16..e09948cfc 100644
  	"github.com/letsencrypt/boulder/cmd"
  	"github.com/letsencrypt/boulder/core"
  	"github.com/letsencrypt/boulder/db"
-@@ -348,6 +349,9 @@ func main() {
+@@ -352,6 +353,9 @@ func main() {
  			TLS       cmd.TLSConfig
  			RAService *cmd.GRPCClientConfig
  
@@ -20,7 +20,7 @@ index 2d6d17f16..e09948cfc 100644
  			// MaximumRevocations specifies the maximum number of certificates associated with
  			// a key hash that bad-key-revoker will attempt to revoke. If the number of certificates
  			// is higher than MaximumRevocations bad-key-revoker will error out and refuse to
-@@ -375,6 +379,12 @@ func main() {
+@@ -385,6 +389,12 @@ func main() {
  
  		Syslog  cmd.SyslogConfig
  		Beeline cmd.BeelineConfig
@@ -33,7 +33,7 @@ index 2d6d17f16..e09948cfc 100644
  	}
  	configPath := flag.String("config", "", "File path to the configuration file for this service")
  	flag.Parse()
-@@ -424,6 +434,32 @@ func main() {
+@@ -434,6 +444,32 @@ func main() {
  	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
  	rac := rapb.NewRegistrationAuthorityClient(conn)
  
@@ -66,7 +66,7 @@ index 2d6d17f16..e09948cfc 100644
  	var smtpRoots *x509.CertPool
  	if config.BadKeyRevoker.Mailer.SMTPTrustedRootFile != "" {
  		pem, err := ioutil.ReadFile(config.BadKeyRevoker.Mailer.SMTPTrustedRootFile)
-@@ -445,6 +481,7 @@ func main() {
+@@ -455,6 +491,7 @@ func main() {
  		config.BadKeyRevoker.Mailer.Username,
  		smtpPassword,
  		smtpRoots,
diff --git a/patches/core_interfaces.patch b/patches/core_interfaces.patch
index e529adc..8a7fa56 100644
--- a/patches/core_interfaces.patch
+++ b/patches/core_interfaces.patch
@@ -1,8 +1,8 @@
 diff --git a/core/interfaces.go b/core/interfaces.go
-index 4e03131cb..43468ca3b 100644
+index d19eb4fb8..3ae50d737 100644
 --- a/core/interfaces.go
 +++ b/core/interfaces.go
-@@ -94,6 +94,7 @@ type PolicyAuthority interface {
+@@ -91,6 +91,7 @@ type PolicyAuthority interface {
  	WillingToIssueWildcards(identifiers []identifier.ACMEIdentifier) error
  	ChallengesFor(domain identifier.ACMEIdentifier) ([]Challenge, error)
  	ChallengeTypeEnabled(t AcmeChallenge) bool
diff --git a/patches/expiration-mailer_main.patch b/patches/expiration-mailer_main.patch
index 0834469..06f172d 100644
--- a/patches/expiration-mailer_main.patch
+++ b/patches/expiration-mailer_main.patch
@@ -1,5 +1,5 @@
 diff --git a/cmd/expiration-mailer/main.go b/cmd/expiration-mailer/main.go
-index 9f56157dd..8cc77676c 100644
+index f6b02976e..0b00b794d 100644
 --- a/cmd/expiration-mailer/main.go
 +++ b/cmd/expiration-mailer/main.go
 @@ -20,6 +20,7 @@ import (
@@ -9,8 +9,8 @@ index 9f56157dd..8cc77676c 100644
 +	"github.com/letsencrypt/boulder/bdns"
  	"github.com/letsencrypt/boulder/cmd"
  	"github.com/letsencrypt/boulder/core"
- 	"github.com/letsencrypt/boulder/db"
-@@ -35,7 +36,7 @@ import (
+ 	corepb "github.com/letsencrypt/boulder/core/proto"
+@@ -36,7 +37,7 @@ import (
  
  const (
  	defaultNagCheckInterval  = 24 * time.Hour
@@ -19,7 +19,7 @@ index 9f56157dd..8cc77676c 100644
  )
  
  type regStore interface {
-@@ -384,6 +385,9 @@ type config struct {
+@@ -385,6 +386,9 @@ type config struct {
  		TLS       cmd.TLSConfig
  		SAService *cmd.GRPCClientConfig
  
@@ -29,7 +29,7 @@ index 9f56157dd..8cc77676c 100644
  		// Path to a file containing a list of trusted root certificates for use
  		// during the SMTP connection (as opposed to the gRPC connections).
  		SMTPTrustedRootFile string
-@@ -393,6 +397,12 @@ type config struct {
+@@ -394,6 +398,12 @@ type config struct {
  
  	Syslog  cmd.SyslogConfig
  	Beeline cmd.BeelineConfig
@@ -42,7 +42,7 @@ index 9f56157dd..8cc77676c 100644
  }
  
  func initStats(stats prometheus.Registerer) mailerStats {
-@@ -510,6 +520,32 @@ func main() {
+@@ -511,6 +521,32 @@ func main() {
  	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
  	sac := bgrpc.NewStorageAuthorityClient(sapb.NewStorageAuthorityClient(conn))
  
@@ -75,7 +75,7 @@ index 9f56157dd..8cc77676c 100644
  	var smtpRoots *x509.CertPool
  	if c.Mailer.SMTPTrustedRootFile != "" {
  		pem, err := ioutil.ReadFile(c.Mailer.SMTPTrustedRootFile)
-@@ -545,6 +581,7 @@ func main() {
+@@ -546,6 +582,7 @@ func main() {
  		c.Mailer.Username,
  		smtpPassword,
  		smtpRoots,
diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch
index c67edef..18541c8 100644
--- a/patches/ra_ra.patch
+++ b/patches/ra_ra.patch
@@ -1,5 +1,5 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index 58fa25ca8..09d2a3579 100644
+index 1023d0232..3f8d86d87 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
 @@ -31,7 +31,6 @@ import (
@@ -10,7 +10,7 @@ index 58fa25ca8..09d2a3579 100644
  	"github.com/letsencrypt/boulder/probs"
  	pubpb "github.com/letsencrypt/boulder/publisher/proto"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
-@@ -446,7 +445,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+@@ -435,7 +434,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
  				contact,
  			)
  		}
diff --git a/patches/test_config_ca_a.patch b/patches/test_config_ca_a.patch
index 52cac89..1e54b15 100644
--- a/patches/test_config_ca_a.patch
+++ b/patches/test_config_ca_a.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json
 index 92b32f094..e220d7d4f 100644
 --- a/test/config/ca-a.json
 +++ b/test/config/ca-a.json
-@@ -58,19 +58,7 @@
+@@ -60,19 +60,7 @@
            "crlURL": "http://example.com/crl",
            "location": {
              "configFile": "test/test-ca.key-pkcs11.json",
diff --git a/patches/test_config_ca_b.patch b/patches/test_config_ca_b.patch
index 0e59588..beb0a85 100644
--- a/patches/test_config_ca_b.patch
+++ b/patches/test_config_ca_b.patch
@@ -2,7 +2,7 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json
 index 6c7d9d272..4e428bc4a 100644
 --- a/test/config/ca-b.json
 +++ b/test/config/ca-b.json
-@@ -58,19 +58,7 @@
+@@ -60,19 +60,7 @@
            "crlURL": "http://example.com/crl",
            "location": {
              "configFile": "test/test-ca.key-pkcs11.json",