letsencrypt · maen-bn · Jan 21, 2026
@@ -266,7 +266,7 @@ func (c *impl) exchangeOne(ctx context.Context, hostname string, qtype uint16) (
 
 	// It's impossible to get past the bottom of the loop: on the last attempt
 	// (when tries == c.maxTries), all paths lead to a return from inside the loop.
-	return nil, "", errors.New("unexpected loop escape in exchangeOne")
+	return nil, "", fmt.Errorf("unexpected loop escape in exchangeOne")
 }
 
 // LookupA sends a DNS query to find all A records associated with the provided

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -606,7 +605,7 @@ type testExchanger struct {
 	errs  []error
 }
 
-var errTooManyRequests = errors.New("too many requests")
+var errTooManyRequests = fmt.Errorf("too many requests")
 
 func (te *testExchanger) ExchangeContext(ctx context.Context, m *dns.Msg, a string) (*dns.Msg, time.Duration, error) {
 	if ctx.Err() != nil {
@@ -630,8 +629,8 @@ func (te *testExchanger) ExchangeContext(ctx context.Context, m *dns.Msg, a stri
 func TestRetry(t *testing.T) {
 	isTimeoutErr := &url.Error{Op: "read", Err: testTimeoutError(true)}
 	nonTimeoutErr := &url.Error{Op: "read", Err: testTimeoutError(false)}
-	servFailError := errors.New("DNS problem: server failure at resolver looking up TXT for example.com")
-	timeoutFailError := errors.New("DNS problem: query timed out looking up TXT for example.com")
+	servFailError := fmt.Errorf("DNS problem: server failure at resolver looking up TXT for example.com")
+	timeoutFailError := fmt.Errorf("DNS problem: query timed out looking up TXT for example.com")
 	type testCase struct {
 		name              string
 		maxTries          int
@@ -656,7 +655,7 @@ func TestRetry(t *testing.T) {
 			name:     "non-operror",
 			maxTries: 3,
 			te: &testExchanger{
-				errs: []error{errors.New("nope")},
+				errs: []error{fmt.Errorf("nope")},
 			},
 			expected:      servFailError,
 			expectedCount: 1,
@@ -666,7 +665,7 @@ func TestRetry(t *testing.T) {
 			name:     "err-then-non-operror",
 			maxTries: 3,
 			te: &testExchanger{
-				errs: []error{isTimeoutErr, errors.New("nope")},
+				errs: []error{isTimeoutErr, fmt.Errorf("nope")},
 			},
 			expected:      servFailError,
 			expectedCount: 2,
@@ -798,7 +797,7 @@ func TestRetryMetrics(t *testing.T) {
 	// checks for cancellation before doing any work.
 	testClient := New(time.Second*10, staticProvider, metrics.NoopRegisterer, clock.NewFake(), 3, "", blog.UseMock(), tlsConfig)
 	dr := testClient.(*impl)
-	dr.exchanger = &testExchanger{errs: []error{errors.New("oops")}}
+	dr.exchanger = &testExchanger{errs: []error{fmt.Errorf("oops")}}
 	ctx, cancel := context.WithCancel(t.Context())
 	cancel()
 	_, _, err = dr.LookupTXT(ctx, "example.com")
@@ -817,7 +816,7 @@ func TestRetryMetrics(t *testing.T) {
 	// let the go runtime cancel it as a result of a deadline in the past.
 	testClient = New(time.Second*10, staticProvider, metrics.NoopRegisterer, clock.NewFake(), 3, "", blog.UseMock(), tlsConfig)
 	dr = testClient.(*impl)
-	dr.exchanger = &testExchanger{errs: []error{errors.New("oops")}}
+	dr.exchanger = &testExchanger{errs: []error{fmt.Errorf("oops")}}
 	ctx, cancel = context.WithTimeout(t.Context(), -10*time.Hour)
 	defer cancel()
 	_, _, err = dr.LookupTXT(ctx, "example.com")

@@ -2,7 +2,7 @@ package bdns
 
 import (
 	"context"
-	"errors"
+	"fmt"
 
 	"github.com/miekg/dns"
 )
@@ -12,20 +12,20 @@ type MockClient struct{}
 
 // LookupTXT is a mock
 func (mock *MockClient) LookupTXT(_ context.Context, hostname string) (*Result[*dns.TXT], string, error) {
-	return nil, "MockClient", errors.New("unexpected LookupTXT call on test fake")
+	return nil, "MockClient", fmt.Errorf("unexpected LookupTXT call on test fake")
 }
 
 // LookupA is a fake
 func (mock *MockClient) LookupA(_ context.Context, hostname string) (*Result[*dns.A], string, error) {
-	return nil, "MockClient", errors.New("unexpected LookupA call on test fake")
+	return nil, "MockClient", fmt.Errorf("unexpected LookupA call on test fake")
 }
 
 // LookupAAAA is a fake
 func (mock *MockClient) LookupAAAA(_ context.Context, hostname string) (*Result[*dns.AAAA], string, error) {
-	return nil, "MockClient", errors.New("unexpected LookupAAAA call on test fake")
+	return nil, "MockClient", fmt.Errorf("unexpected LookupAAAA call on test fake")
 }
 
 // LookupCAA is a fake
 func (mock *MockClient) LookupCAA(_ context.Context, domain string) (*Result[*dns.CAA], string, error) {
-	return nil, "MockClient", errors.New("unexpected LookupCAA call on test fake")
+	return nil, "MockClient", fmt.Errorf("unexpected LookupCAA call on test fake")
 }
@@ -2,7 +2,7 @@ package bdns
 
 import (
 	"context"
-	"errors"
+	"fmt"
 	"net"
 	"net/url"
 	"testing"
@@ -18,7 +18,7 @@ func TestError(t *testing.T) {
 		expected string
 	}{
 		{
-			&Error{dns.TypeMX, "hostname", &net.OpError{Err: errors.New("some net error")}, -1, nil},
+			&Error{dns.TypeMX, "hostname", &net.OpError{Err: fmt.Errorf("some net error")}, -1, nil},
 			"DNS problem: networking error looking up MX for hostname",
 		}, {
 			&Error{dns.TypeTXT, "hostname", nil, dns.RcodeNameError, nil},
@@ -85,6 +85,6 @@ func TestWrapErr(t *testing.T) {
 
 	err = wrapErr(dns.TypeA, "hostname", &dns.Msg{
 		MsgHdr: dns.MsgHdr{Rcode: dns.RcodeSuccess},
-	}, errors.New("oh no"))
+	}, fmt.Errorf("oh no"))
 	test.AssertError(t, err, "expected error")
 }
@@ -2,7 +2,6 @@ package bdns
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"math/rand/v2"
 	"net"
@@ -49,7 +48,7 @@ func validateServerAddress(address string) error {
 
 	// Ensure `address` contains both a `host` and `port` portion.
 	if host == "" || port == "" {
-		return errors.New("port cannot be missing")
+		return fmt.Errorf("port cannot be missing")
 	}
 
 	// Ensure the `port` portion of `address` is a valid port.
@@ -58,14 +57,14 @@ func validateServerAddress(address string) error {
 		return fmt.Errorf("parsing port number: %s", err)
 	}
 	if portNum <= 0 || portNum > 65535 {
-		return errors.New("port must be an integer between 0 - 65535")
+		return fmt.Errorf("port must be an integer between 0 - 65535")
 	}
 
 	// Ensure the `host` portion of `address` is a valid FQDN or IP address.
 	_, err = netip.ParseAddr(host)
 	FQDN := dns.IsFqdn(dns.Fqdn(host))
 	if err != nil && !FQDN {
-		return errors.New("host is not an FQDN or IP address")
+		return fmt.Errorf("host is not an FQDN or IP address")
 	}
 	return nil
 }
@@ -140,7 +139,7 @@ type dynamicProvider struct {
 // It has been minimally modified to fit our code style.
 func ParseTarget(target, defaultPort string) (host, port string, err error) {
 	if target == "" {
-		return "", "", errors.New("missing address")
+		return "", "", fmt.Errorf("missing address")
 	}
 	ip := net.ParseIP(target)
 	if ip != nil {
@@ -152,7 +151,7 @@ func ParseTarget(target, defaultPort string) (host, port string, err error) {
 		if port == "" {
 			// If the port field is empty (target ends with colon), e.g.
 			// "[::1]:", this is an error.
-			return "", "", errors.New("missing port after port-separator colon")
+			return "", "", fmt.Errorf("missing port after port-separator colon")
 		}
 		// target has port, i.e ipv4-host:port, [ipv6-host]:port, host-name:port
 		if host == "" {

@@ -147,15 +147,15 @@ func NewCertificateAuthorityImpl(
 	clk clock.Clock,
 ) (*certificateAuthorityImpl, error) {
 	if serialPrefix < 0x01 || serialPrefix > 0x7f {
-		return nil, errors.New("serial prefix must be between 0x01 (1) and 0x7f (127)")
+		return nil, fmt.Errorf("serial prefix must be between 0x01 (1) and 0x7f (127)")
 	}
 
 	if len(issuers) == 0 {
-		return nil, errors.New("must have at least one issuer")
+		return nil, fmt.Errorf("must have at least one issuer")
 	}
 
 	if len(profiles) == 0 {
-		return nil, errors.New("must have at least one certificate profile")
+		return nil, fmt.Errorf("must have at least one certificate profile")
 	}
 
 	issuableKeys := make(map[x509.PublicKeyAlgorithm]bool)
@@ -224,7 +224,7 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, req *c
 	}
 
 	if ca.sctClient == nil {
-		return nil, errors.New("IssueCertificate called with a nil SCT service")
+		return nil, fmt.Errorf("IssueCertificate called with a nil SCT service")
 	}
 
 	profile, ok := ca.profiles[req.CertProfileName]
@@ -553,17 +553,17 @@ func tbsCertIsDeterministic(lintCertBytes []byte, leafCertBytes []byte) error {
 
 		// Extract the Certificate bytes
 		if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) {
-			return nil, errors.New("malformed certificate")
+			return nil, fmt.Errorf("malformed certificate")
 		}
 
 		var tbs cryptobyte.String
 		// Extract the TBSCertificate bytes from the Certificate bytes
 		if !input.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) {
-			return nil, errors.New("malformed tbs certificate")
+			return nil, fmt.Errorf("malformed tbs certificate")
 		}
 
 		if tbs.Empty() {
-			return nil, errors.New("parsed RawTBSCertificate field was empty")
+			return nil, fmt.Errorf("parsed RawTBSCertificate field was empty")
 		}
 
 		return tbs, nil

@@ -389,7 +389,7 @@ func deserializeSCTList(sctListExtensionValue []byte) ([]ct.SignedCertificateTim
 		return nil, err
 	}
 	if len(rest) != 0 {
-		return nil, errors.New("serialized SCT list contained trailing garbage")
+		return nil, fmt.Errorf("serialized SCT list contained trailing garbage")
 	}
 	list := make([]ct.SignedCertificateTimestamp, len(sctList.SCTList))
 	for i, serializedSCT := range sctList.SCTList {
@@ -399,7 +399,7 @@ func deserializeSCTList(sctListExtensionValue []byte) ([]ct.SignedCertificateTim
 			return nil, err
 		}
 		if len(rest) != 0 {
-			return nil, errors.New("serialized SCT contained trailing garbage")
+			return nil, fmt.Errorf("serialized SCT contained trailing garbage")
 		}
 		list[i] = sct
 	}
@@ -928,7 +928,7 @@ func TestNoteSignError(t *testing.T) {
 	testCtx := newCAArgs(t)
 	metrics := testCtx.metrics
 
-	err := fmt.Errorf("wrapped non-signing error: %w", errors.New("oops"))
+	err := fmt.Errorf("wrapped non-signing error: %w", fmt.Errorf("oops"))
 	metrics.noteSignError(err)
 	test.AssertMetricWithLabelsEquals(t, metrics.signErrorCount, prometheus.Labels{"type": "HSM"}, 0)
 

@@ -3,7 +3,6 @@ package ca
 import (
 	"crypto/sha256"
 	"crypto/x509"
-	"errors"
 	"fmt"
 	"io"
 	"strings"
@@ -83,7 +82,7 @@ func (ci *crlImpl) GenerateCRL(stream grpc.BidiStreamingServer[capb.GenerateCRLR
 		switch payload := in.Payload.(type) {
 		case *capb.GenerateCRLRequest_Metadata:
 			if req != nil {
-				return errors.New("got more than one metadata message")
+				return fmt.Errorf("got more than one metadata message")
 			}
 
 			req, err = ci.metadataToRequest(payload.Metadata)
@@ -106,12 +105,12 @@ func (ci *crlImpl) GenerateCRL(stream grpc.BidiStreamingServer[capb.GenerateCRLR
 			rcs = append(rcs, *rc)
 
 		default:
-			return errors.New("got empty or malformed message in input stream")
+			return fmt.Errorf("got empty or malformed message in input stream")
 		}
 	}
 
 	if req == nil {
-		return errors.New("no crl metadata received")
+		return fmt.Errorf("no crl metadata received")
 	}
 
 	// Compute a unique ID for this issuer-number-shard combo, to tie together all
@@ -174,7 +173,7 @@ func (ci *crlImpl) GenerateCRL(stream grpc.BidiStreamingServer[capb.GenerateCRLR
 
 func (ci *crlImpl) metadataToRequest(meta *capb.CRLMetadata) (*issuance.CRLRequest, error) {
 	if core.IsAnyNilOrZero(meta.IssuerNameID, meta.ThisUpdate, meta.ShardIdx) {
-		return nil, errors.New("got incomplete metadata message")
+		return nil, fmt.Errorf("got incomplete metadata message")
 	}
 	thisUpdate := meta.ThisUpdate.AsTime()
 	number := bcrl.Number(thisUpdate)
@@ -193,7 +192,7 @@ func (ci *crlImpl) entryToRevokedCertificate(entry *corepb.CRLEntry) (*x509.Revo
 	}
 
 	if core.IsAnyNilOrZero(entry.RevokedAt) {
-		return nil, errors.New("got empty or zero revocation timestamp")
+		return nil, fmt.Errorf("got empty or zero revocation timestamp")
 	}
 	revokedAt := entry.RevokedAt.AsTime()
 

@@ -2,7 +2,6 @@ package main
 
 import (
 	"context"
-	"errors"
 	"fmt"
 
 	"github.com/jmhodges/clock"
@@ -91,7 +90,7 @@ func findActiveInputMethodFlag(setInputs map[string]bool) (string, error) {
 	}
 
 	if len(activeFlags) == 0 {
-		return "", errors.New("at least one input method flag must be specified")
+		return "", fmt.Errorf("at least one input method flag must be specified")
 	} else if len(activeFlags) > 1 {
 		return "", fmt.Errorf("more than one input method flag specified: %v", activeFlags)
 	}

@@ -82,13 +82,13 @@ func (s *subcommandRevokeCert) Run(ctx context.Context, a *admin) error {
 	if s.skipBlock && reasonCode == revocation.KeyCompromise {
 		// We would only add the SPKI hash of the pubkey to the blockedKeys table if
 		// the revocation reason is keyCompromise.
-		return errors.New("-skip-block-key only makes sense with -reason=1")
+		return fmt.Errorf("-skip-block-key only makes sense with -reason=1")
 	}
 
 	if s.malformed && reasonCode == revocation.KeyCompromise {
 		// This is because we can't extract and block the pubkey if we can't
 		// parse the certificate.
-		return errors.New("cannot revoke malformed certs for reason keyCompromise")
+		return fmt.Errorf("cannot revoke malformed certs for reason keyCompromise")
 	}
 
 	// This is a map of all input-selection flags to whether or not they were set
@@ -122,7 +122,7 @@ func (s *subcommandRevokeCert) Run(ctx context.Context, a *admin) error {
 	case "-cert-file":
 		serials, err = a.serialsFromCertPEM(ctx, s.certFile)
 	default:
-		return errors.New("no recognized input method flag set (this shouldn't happen)")
+		return fmt.Errorf("no recognized input method flag set (this shouldn't happen)")
 	}
 	if err != nil {
 		return fmt.Errorf("collecting serials to revoke: %w", err)
@@ -134,7 +134,7 @@ func (s *subcommandRevokeCert) Run(ctx context.Context, a *admin) error {
 	}
 
 	if len(serials) == 0 {
-		return errors.New("no serials to revoke found")
+		return fmt.Errorf("no serials to revoke found")
 	}
 
 	a.log.Infof("Found %d certificates to revoke", len(serials))
@@ -157,10 +157,10 @@ func (s *subcommandRevokeCert) revokeMalformed(ctx context.Context, a *admin, se
 		return fmt.Errorf("getting admin username: %w", err)
 	}
 	if s.crlShard == 0 {
-		return errors.New("when revoking malformed certificates, a nonzero CRL shard must be specified")
+		return fmt.Errorf("when revoking malformed certificates, a nonzero CRL shard must be specified")
 	}
 	if len(serials) > 1 {
-		return errors.New("when revoking malformed certificates, only one cert at a time is allowed")
+		return fmt.Errorf("when revoking malformed certificates, only one cert at a time is allowed")
 	}
 	_, err = a.rac.AdministrativelyRevokeCertificate(
 		ctx,