Merge branch 'release/20.11.1'

* release/20.11.1:
  Make sure that sudo is installed
  Bump boulder version to release-2020-11-10
  Bump boulder version to release-2020-11-04

config_bad-key-revoker.patch

@@ -22,7 +22,7 @@ index 482fd85fc..3e678aa5b 100644
 +        "interval": "5m"
      },
      "syslog": {
-         "stdoutlevel": 6,
+         "stdoutlevel": 4,
          "sysloglevel": 4
 +    },
 +    "common": {

install

@@ -24,7 +24,7 @@ dockerComposeVersion="1.22.0"
 
 labcaUrl="https://github.com/hakwerk/labca/"
 boulderUrl="https://github.com/letsencrypt/boulder/"
-boulderTag="release-2020-10-13"
+boulderTag="release-2020-11-10"
 
 #
 # Color configuration
@@ -343,7 +343,7 @@ install_pkg() {
 }
 
 install_extra() {
-    local packages=(apt-transport-https ca-certificates curl gnupg2 net-tools nginx software-properties-common tzdata ucspi-tcp zip)
+    local packages=(apt-transport-https ca-certificates curl gnupg2 net-tools nginx software-properties-common sudo tzdata ucspi-tcp zip)
     for package in "${packages[@]}"; do
         install_pkg "$package"
     done

policy_pa.patch

@@ -1,8 +1,8 @@
 diff --git a/policy/pa.go b/policy/pa.go
-index 599dcdb10..084cb3ba8 100644
+index 7950970f4..03cfb937e 100644
 --- a/policy/pa.go
 +++ b/policy/pa.go
-@@ -30,6 +30,8 @@ type AuthorityImpl struct {
+@@ -31,6 +31,8 @@ type AuthorityImpl struct {
  	blocklist              map[string]bool
  	exactBlocklist         map[string]bool
  	wildcardExactBlocklist map[string]bool
@@ -11,7 +11,7 @@ index 599dcdb10..084cb3ba8 100644
  	blocklistMu            sync.RWMutex
 
  	enabledChallenges map[core.AcmeChallenge]bool
-@@ -70,6 +72,9 @@ type blockedNamesPolicy struct {
+@@ -71,6 +73,9 @@ type blockedNamesPolicy struct {
  	// time above and beyond the high-risk domains. Managing these entries separately
  	// from HighRiskBlockedNames makes it easier to vet changes accurately.
  	AdminBlockedNames []string `yaml:"AdminBlockedNames"`
@@ -21,7 +21,7 @@ index 599dcdb10..084cb3ba8 100644
  }
 
  // SetHostnamePolicyFile will load the given policy file, returning error if it
-@@ -138,10 +143,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
+@@ -139,10 +144,20 @@ func (pa *AuthorityImpl) processHostnamePolicy(policy blockedNamesPolicy) error
  		// wildcardNameMap to block issuance for `*.`+parts[1]
  		wildcardNameMap[parts[1]] = true
  	}
@@ -42,7 +42,7 @@ index 599dcdb10..084cb3ba8 100644
  	pa.blocklistMu.Unlock()
  	return nil
  }
-@@ -214,7 +229,7 @@ var (
+@@ -215,7 +230,7 @@ var (
  // * exactly equal to an IANA registered TLD
  //
  // It does _not_ check that the domain isn't on any PA blocked lists.
@@ -51,7 +51,7 @@ index 599dcdb10..084cb3ba8 100644
  	if domain == "" {
  		return errEmptyName
  	}
-@@ -281,6 +296,14 @@ func ValidDomain(domain string) error {
+@@ -282,6 +297,14 @@ func ValidDomain(domain string) error {
  		}
  	}
 
@@ -66,7 +66,7 @@ index 599dcdb10..084cb3ba8 100644
  	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
  	icannTLD, err := iana.ExtractSuffix(domain)
  	if err != nil {
-@@ -308,7 +331,7 @@ var forbiddenMailDomains = map[string]bool{
+@@ -309,7 +332,7 @@ var forbiddenMailDomains = map[string]bool{
  // ValidEmail returns an error if the input doesn't parse as an email address,
  // the domain isn't a valid hostname in Preferred Name Syntax, or its on the
  // list of domains forbidden for mail (because they are often used in examples).
@@ -75,7 +75,7 @@ index 599dcdb10..084cb3ba8 100644
  	email, err := mail.ParseAddress(address)
  	if err != nil {
  		if len(address) > 254 {
-@@ -318,7 +341,7 @@ func ValidEmail(address string) error {
+@@ -319,7 +342,7 @@ func ValidEmail(address string) error {
  	}
  	splitEmail := strings.SplitN(email.Address, "@", -1)
  	domain := strings.ToLower(splitEmail[len(splitEmail)-1])
@@ -84,7 +84,7 @@ index 599dcdb10..084cb3ba8 100644
  		return berrors.InvalidEmailError(
  			"contact email %q has invalid domain : %s",
  			email.Address, err)
-@@ -357,10 +380,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -358,10 +381,14 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
  	}
  	domain := id.Value
 
@@ -100,7 +100,7 @@ index 599dcdb10..084cb3ba8 100644
  	// Require no match against hostname block lists
  	if err := pa.checkHostLists(domain); err != nil {
  		return err
-@@ -369,6 +396,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
+@@ -370,6 +397,31 @@ func (pa *AuthorityImpl) WillingToIssue(id identifier.ACMEIdentifier) error {
  	return nil
  }
 

ra_ra.patch

@@ -1,16 +1,16 @@
 diff --git a/ra/ra.go b/ra/ra.go
-index ca21ace0e..6d90d7eff 100644
+index bdc0520bc..2d74d1318 100644
 --- a/ra/ra.go
 +++ b/ra/ra.go
-@@ -29,7 +29,6 @@ import (
+@@ -30,7 +30,6 @@ import (
  	"github.com/letsencrypt/boulder/issuance"
  	blog "github.com/letsencrypt/boulder/log"
  	"github.com/letsencrypt/boulder/metrics"
 -	"github.com/letsencrypt/boulder/policy"
  	"github.com/letsencrypt/boulder/probs"
  	rapb "github.com/letsencrypt/boulder/ra/proto"
  	"github.com/letsencrypt/boulder/ratelimit"
-@@ -400,7 +399,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
+@@ -401,7 +400,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(ctx context.Context, conta
  				contact,
  			)
  		}

test_config_ca_a.patch

@@ -2,7 +2,7 @@ diff --git a/test/config/ca-a.json b/test/config/ca-a.json
 index be064a52e..e7ef8fcf6 100644
 --- a/test/config/ca-a.json
 +++ b/test/config/ca-a.json
-@@ -30,11 +30,7 @@
+@@ -122,11 +122,7 @@
      },
      "issuers": [{
        "configFile": "test/test-ca.key-pkcs11.json",

test_config_ca_b.patch

@@ -2,7 +2,7 @@ diff --git a/test/config/ca-b.json b/test/config/ca-b.json
 index ed2498f1a..4d24ffa94 100644
 --- a/test/config/ca-b.json
 +++ b/test/config/ca-b.json
-@@ -30,11 +30,7 @@
+@@ -127,11 +127,7 @@
      },
      "issuers": [{
        "configFile": "test/test-ca.key-pkcs11.json",