labca/patches/issuance_issuer.patch

diff --git a/issuance/issuer.go b/issuance/issuer.go
index 8479470ba..33672c905 100644
--- a/issuance/issuer.go
+++ b/issuance/issuer.go
@@ -129,8 +129,8 @@ func LoadChain(certFiles []string) ([]*Certificate, error) {
 	lastCert := certs[len(certs)-1]
 	err = lastCert.CheckSignatureFrom(lastCert.Certificate)
 	if err != nil {
-		return nil, fmt.Errorf(
-			"final cert in chain (%q; %q) must be self-signed (used only for validation): %w",
+		fmt.Printf(
+			"WARNING: final cert in chain (%q; %q) should be self-signed (used only for validation): %w\n",
 			lastCert.Subject, certFiles[len(certFiles)-1], err)
 	}
 
@@ -156,7 +156,7 @@ type IssuerConfig struct {
 	Profiles []string `validate:"required_if=Active true,dive,alphanum,min=1,max=32"`
 
 	IssuerURL  string `validate:"required,url"`
-	CRLURLBase string `validate:"required,url,startswith=http://,endswith=/"`
+	CRLURLBase string `validate:"required,url,startswith=http://"`
 
 	// Number of CRL shards. Must be positive, but can be 1 for no sharding.
 	CRLShards int `validate:"required,min=1"`
@@ -242,9 +242,6 @@ func newIssuer(config IssuerConfig, cert *Certificate, signer crypto.Signer, clk
 	if !strings.HasPrefix(config.CRLURLBase, "http://") {
 		return nil, fmt.Errorf("crlURLBase must use HTTP scheme, got %q", config.CRLURLBase)
 	}
-	if !strings.HasSuffix(config.CRLURLBase, "/") {
-		return nil, fmt.Errorf("crlURLBase must end with exactly one forward slash, got %q", config.CRLURLBase)
-	}
 	if config.CRLShards <= 0 {
 		return nil, errors.New("number of CRL shards is required")
 	}