letsencrypt · beautifulentropy · Feb 23, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026
@@ -324,7 +324,7 @@ func (ca *certificateAuthorityImpl) IssueCertificate(ctx context.Context, req *c
 	// an error immediately after signing the precertificate, we have a record in the DB of what we
 	// intended to sign, and can do revocations based on that. See #6807.
 	// The name of the SA method ("AddPrecertificate") is a historical artifact.
-	_, err = ca.sa.AddPrecertificate(context.Background(), &sapb.AddCertificateRequest{
+	_, err = ca.sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
 		Der:          lintPrecertDER,
 		RegID:        req.RegistrationID,
 		Issued:       timestamppb.New(ca.clk.Now()),

@@ -176,9 +176,9 @@ func (bkr *badKeyRevoker) markRowChecked(ctx context.Context, unchecked unchecke
 // revokeCerts revokes all the provided certificates. It uses reason
 // keyCompromise and includes note indicating that they were revoked by
 // bad-key-revoker.
-func (bkr *badKeyRevoker) revokeCerts(certs []unrevokedCertificate) error {
+func (bkr *badKeyRevoker) revokeCerts(ctx context.Context, certs []unrevokedCertificate) error {
 	for _, cert := range certs {
-		_, err := bkr.raClient.AdministrativelyRevokeCertificate(context.Background(), &rapb.AdministrativelyRevokeCertificateRequest{
+		_, err := bkr.raClient.AdministrativelyRevokeCertificate(ctx, &rapb.AdministrativelyRevokeCertificateRequest{
 			Cert:      cert.DER,
 			Serial:    cert.Serial,
 			Code:      int64(revocation.KeyCompromise),
@@ -252,7 +252,7 @@ func (bkr *badKeyRevoker) invoke(ctx context.Context) (work bool, err error) {
 	logEvent["serials"] = serials
 
 	// revoke each certificate
-	err = bkr.revokeCerts(unrevokedCerts)
+	err = bkr.revokeCerts(ctx, unrevokedCerts)
 	if err != nil {
 		return false, err
 	}

@@ -282,7 +282,7 @@ func TestRevokeCerts(t *testing.T) {
 		certsRevoked: prometheus.NewCounter(prometheus.CounterOpts{}),
 	}
 
-	err = bkr.revokeCerts([]unrevokedCertificate{
+	err = bkr.revokeCerts(t.Context(), []unrevokedCertificate{
 		{ID: 0, Serial: "ff"},
 		{ID: 1, Serial: "ee"},
 	})

@@ -127,7 +127,7 @@ func (ctp *CTPolicy) GetSCTs(ctx context.Context, cert core.CertDER, expiration
 		go ctp.getOne(subCtx, cert, logs[nextLog], resChan)
 	}
 
-	go ctp.submitPrecertInformational(cert, expiration)
+	go ctp.submitPrecertInformational(ctx, cert, expiration)
 
 	// staggerTicker will be used to start a new submission each stagger interval
 	staggerTicker := time.NewTicker(ctp.stagger)
@@ -215,7 +215,9 @@ func compliantSet(results []result) core.SCTDERs {
 // submitAllBestEffort submits the given certificate or precertificate to every
 // log ("informational" for precerts, "final" for certs) configured in the policy.
 // It neither waits for these submission to complete, nor tracks their success.
-func (ctp *CTPolicy) submitAllBestEffort(blob core.CertDER, kind pubpb.SubmissionType, expiry time.Time) {
+func (ctp *CTPolicy) submitAllBestEffort(ctx context.Context, blob core.CertDER, kind pubpb.SubmissionType, expiry time.Time) {
+	ctx = context.WithoutCancel(ctx)
+
 	logs := ctp.finalLogs
 	if kind == pubpb.SubmissionType_info {
 		logs = ctp.infoLogs
@@ -228,7 +230,7 @@ func (ctp *CTPolicy) submitAllBestEffort(blob core.CertDER, kind pubpb.Submissio
 
 		go func(log loglist.Log) {
 			_, err := ctp.pub.SubmitToSingleCTWithResult(
-				context.Background(),
+				ctx,
 				&pubpb.Request{
 					LogURL:       log.Url,
 					LogPublicKey: base64.StdEncoding.EncodeToString(log.Key),
@@ -245,12 +247,12 @@ func (ctp *CTPolicy) submitAllBestEffort(blob core.CertDER, kind pubpb.Submissio
 
 // submitPrecertInformational submits precertificates to any configured
 // "informational" logs, but does not care about success or returned SCTs.
-func (ctp *CTPolicy) submitPrecertInformational(cert core.CertDER, expiration time.Time) {
-	ctp.submitAllBestEffort(cert, pubpb.SubmissionType_info, expiration)
+func (ctp *CTPolicy) submitPrecertInformational(ctx context.Context, cert core.CertDER, expiration time.Time) {
+	ctp.submitAllBestEffort(ctx, cert, pubpb.SubmissionType_info, expiration)
 }
 
 // SubmitFinalCert submits finalized certificates created from precertificates
 // to any configured "final" logs, but does not care about success.
-func (ctp *CTPolicy) SubmitFinalCert(cert core.CertDER, expiration time.Time) {
-	ctp.submitAllBestEffort(cert, pubpb.SubmissionType_final, expiration)
+func (ctp *CTPolicy) SubmitFinalCert(ctx context.Context, cert core.CertDER, expiration time.Time) {
+	ctp.submitAllBestEffort(ctx, cert, pubpb.SubmissionType_final, expiration)
 }
@@ -1335,7 +1335,7 @@ func (ra *RegistrationAuthorityImpl) issueCertificateInner(
 	ra.countCertificateIssued(ctx, int64(acctID), identifier.FromCert(parsedCertificate), isRenewal)
 
 	// Asynchronously submit the final certificate to any configured logs
-	go ra.ctpolicy.SubmitFinalCert(resp.DER, parsedCertificate.NotAfter)
+	go ra.ctpolicy.SubmitFinalCert(ctx, resp.DER, parsedCertificate.NotAfter)
 
 	err = ra.matchesCSR(parsedCertificate, csr)
 	if err != nil {