letsencrypt · ezekiel · Jun 4, 2026 · Jun 4, 2026 · Jun 5, 2026 · Jun 5, 2026
@@ -230,8 +230,8 @@ func (c *impl) exchangeOne(ctx context.Context, hostname string, qtype uint16) (
 
 			// Check if the error is a network timeout, rather than a local context
 			// timeout. If it is, retry instead of giving up.
-			var netErr net.Error
-			isRetryable := ctx.Err() == nil && errors.As(err, &netErr) && netErr.Timeout()
+			netErr, isNetError := errors.AsType[net.Error](err)
+			isRetryable := ctx.Err() == nil && isNetError && netErr.Timeout()
 			hasRetriesLeft := tries < c.maxTries
 			if isRetryable && hasRetriesLeft {
 				continue

@@ -98,17 +98,17 @@ var extendedErrorCodeToString = map[uint16]string{
 func (d Error) Error() string {
 	var detail, additional string
 	if d.underlying != nil {
-		var netErr *net.OpError
-		var urlErr *url.Error
-		if errors.As(d.underlying, &netErr) {
+		netErr, netOk := errors.AsType[*net.OpError](d.underlying)
+		urlErr, urlOk := errors.AsType[*url.Error](d.underlying)
+		if netOk {
 			if netErr.Timeout() {
 				detail = detailDNSTimeout
 			} else {
 				detail = detailDNSNetFailure
 			}
 			// Note: we check d.underlying here even though `Timeout()` does this because the call to `netErr.Timeout()` above only
 			// happens for `*net.OpError` underlying types!
-		} else if errors.As(d.underlying, &urlErr) && urlErr.Timeout() {
+		} else if urlOk && urlErr.Timeout() {
 			// For DOH queries, we can get back a `*url.Error` that wraps the unexported type
 			// `http.httpError`. Unfortunately `http.httpError` doesn't wrap any errors (like
 			// context.DeadlineExceeded), we can't check for that; instead we need to call Timeout().

@@ -104,8 +104,8 @@ func NewCAMetrics(stats prometheus.Registerer) *caMetrics {
 }
 
 func (m *caMetrics) noteSignError(err error) {
-	var pkcs11Error pkcs11.Error
-	if errors.As(err, &pkcs11Error) {
+	_, ok := errors.AsType[pkcs11.Error](err)
+	if ok {
 		m.signErrorCount.WithLabelValues("HSM").Inc()
 	}
 }

@@ -178,8 +178,8 @@ func (t *TLSConfig) Load(scope prometheus.Registerer) (*tls.Config, error) {
 		[]string{"serial"})
 	err = scope.Register(tlsNotBefore)
 	if err != nil {
-		are := prometheus.AlreadyRegisteredError{}
-		if errors.As(err, &are) {
+		are, ok := errors.AsType[prometheus.AlreadyRegisteredError](err)
+		if ok {
 			tlsNotBefore = are.ExistingCollector.(*prometheus.GaugeVec)
 		} else {
 			return nil, err
@@ -194,8 +194,8 @@ func (t *TLSConfig) Load(scope prometheus.Registerer) (*tls.Config, error) {
 		[]string{"serial"})
 	err = scope.Register(tlsNotAfter)
 	if err != nil {
-		are := prometheus.AlreadyRegisteredError{}
-		if errors.As(err, &are) {
+		are, ok := errors.AsType[prometheus.AlreadyRegisteredError](err)
+		if ok {
 			tlsNotAfter = are.ExistingCollector.(*prometheus.GaugeVec)
 		} else {
 			return nil, err

@@ -35,8 +35,8 @@ func (d *Duration) UnmarshalJSON(b []byte) error {
 	s := ""
 	err := json.Unmarshal(b, &s)
 	if err != nil {
-		var jsonUnmarshalTypeErr *json.UnmarshalTypeError
-		if errors.As(err, &jsonUnmarshalTypeErr) {
+		_, ok := errors.AsType[*json.UnmarshalTypeError](err)
+		if ok {
 			return ErrDurationMustBeString
 		}
 		return err

@@ -269,14 +269,13 @@ func TestValidSerial(t *testing.T) {
 }
 
 func TestLoadCert(t *testing.T) {
-	var osPathErr *os.PathError
 	_, err := LoadCert("")
 	test.AssertError(t, err, "Loading empty path did not error")
-	test.AssertErrorWraps(t, err, &osPathErr)
+	test.AssertErrorWraps[*os.PathError](t, err)
 
 	_, err = LoadCert("totally/fake/path")
 	test.AssertError(t, err, "Loading nonexistent path did not error")
-	test.AssertErrorWraps(t, err, &osPathErr)
+	test.AssertErrorWraps[*os.PathError](t, err)
 
 	_, err = LoadCert("../test/hierarchy/README.md")
 	test.AssertError(t, err, "Loading non-PEM file did not error")

@@ -166,8 +166,8 @@ func (cs *crlStorer) UploadCRL(stream grpc.ClientStreamingServer[cspb.UploadCRLR
 		Key:    &filename,
 	})
 	if err != nil {
-		var smithyErr *smithyhttp.ResponseError
-		if !errors.As(err, &smithyErr) || smithyErr.HTTPStatusCode() != 404 {
+		smithyErr, ok := errors.AsType[*smithyhttp.ResponseError](err)
+		if !ok || smithyErr.HTTPStatusCode() != 404 {
 			return fmt.Errorf("getting previous CRL for %s: %w", crlId, err)
 		}
 		cs.log.Infof("No previous CRL found for %s, proceeding", crlId)

@@ -47,8 +47,11 @@ func (e ErrDatabaseOp) Unwrap() error {
 // Error 1062: Duplicate entry. This error is returned when inserting a row
 // would violate a unique key constraint.
 func IsDuplicate(err error) bool {
-	var dbErr *mysql.MySQLError
-	return errors.As(err, &dbErr) && dbErr.Number == 1062
+	dbErr, ok := errors.AsType[*mysql.MySQLError](err)
+	if ok && dbErr.Number == 1062 {
+		return true
+	}
+	return false
 }
 
 // WrappedMap wraps a *borp.DbMap such that its major functions wrap error

@@ -202,8 +202,8 @@ func testDbMap(t *testing.T) *WrappedMap {
 func TestWrappedMap(t *testing.T) {
 	mustDbErr := func(err error) ErrDatabaseOp {
 		t.Helper()
-		var dbOpErr ErrDatabaseOp
-		test.AssertErrorWraps(t, err, &dbOpErr)
+		test.AssertErrorWraps[ErrDatabaseOp](t, err)
+		dbOpErr, _ := errors.AsType[ErrDatabaseOp](err)
 		return dbOpErr
 	}
 

@@ -106,8 +106,8 @@ func newClientMetrics(stats prometheus.Registerer) (clientMetrics, error) {
 	)
 	err := stats.Register(grpcMetrics)
 	if err != nil {
-		are := prometheus.AlreadyRegisteredError{}
-		if errors.As(err, &are) {
+		are, ok := errors.AsType[prometheus.AlreadyRegisteredError](err)
+		if ok {
 			grpcMetrics = are.ExistingCollector.(*grpc_prometheus.ClientMetrics)
 		} else {
 			return clientMetrics{}, err
@@ -121,8 +121,8 @@ func newClientMetrics(stats prometheus.Registerer) (clientMetrics, error) {
 	}, []string{"method", "service"})
 	err = stats.Register(inFlightGauge)
 	if err != nil {
-		are := prometheus.AlreadyRegisteredError{}
-		if errors.As(err, &are) {
+		are, ok := errors.AsType[prometheus.AlreadyRegisteredError](err)
+		if ok {
 			inFlightGauge = are.ExistingCollector.(*prometheus.GaugeVec)
 		} else {
 			return clientMetrics{}, err

@@ -57,8 +57,7 @@ func TestServerTransportCredentials(t *testing.T) {
 	err = bcreds.validateClient(tls.ConnectionState{
 		PeerCertificates: []*x509.Certificate{badCert},
 	})
-	var errSANNotAccepted ErrSANNotAccepted
-	test.AssertErrorWraps(t, err, &errSANNotAccepted)
+	test.AssertErrorWraps[ErrSANNotAccepted](t, err)
 
 	// A creds should accept peers that have a leaf certificate with a SAN
 	// that is on the accepted list
@@ -195,6 +194,5 @@ func TestClientReset(t *testing.T) {
 	tc := NewClientCredentials(nil, []tls.Certificate{}, "")
 	_, _, err := tc.ClientHandshake(context.Background(), "T:1010", &brokenConn{})
 	test.AssertError(t, err, "ClientHandshake succeeded with brokenConn")
-	var netErr net.Error
-	test.AssertErrorWraps(t, err, &netErr)
+	test.AssertErrorWraps[net.Error](t, err)
 }
@@ -25,8 +25,8 @@ func wrapError(ctx context.Context, appErr error) error {
 		return nil
 	}
 
-	var berr *berrors.BoulderError
-	if errors.As(appErr, &berr) {
+	berr, ok := errors.AsType[*berrors.BoulderError](appErr)
+	if ok {
 		pairs := []string{
 			"errortype", strconv.Itoa(int(berr.Type)),
 		}
@@ -92,8 +92,8 @@ func unwrapError(err error, md metadata.MD) error {
 		)
 	}
 	inErr := berrors.New(berrors.ErrorType(inErrType), inErrMsg)
-	var outErr *berrors.BoulderError
-	if !errors.As(inErr, &outErr) {
+	outErr, ok := errors.AsType[*berrors.BoulderError](inErr)
+	if !ok {
 		return fmt.Errorf(
 			"expected type of inErr to be %T got %T: %q",
 			outErr,

@@ -58,8 +58,7 @@ func TestErrorWrapping(t *testing.T) {
 	_, err = client.Chill(context.Background(), &test_proto.Time{})
 	test.Assert(t, err != nil, fmt.Sprintf("nil error returned, expected: %s", err))
 	test.AssertDeepEquals(t, err, es.err)
-	var bErr *berrors.BoulderError
-	ok := errors.As(err, &bErr)
+	bErr, ok := errors.AsType[*berrors.BoulderError](err)
 	test.Assert(t, ok, "asserting error as boulder error")
 	// Ensure we got a RateLimitError
 	test.AssertErrorIs(t, bErr, berrors.RateLimit)

@@ -327,8 +327,8 @@ func newServerMetrics(stats prometheus.Registerer) (serverMetrics, error) {
 	)
 	err := stats.Register(grpcMetrics)
 	if err != nil {
-		are := prometheus.AlreadyRegisteredError{}
-		if errors.As(err, &are) {
+		are, ok := errors.AsType[prometheus.AlreadyRegisteredError](err)
+		if ok {
 			grpcMetrics = are.ExistingCollector.(*grpc_prometheus.ServerMetrics)
 		} else {
 			return serverMetrics{}, err
@@ -345,8 +345,8 @@ func newServerMetrics(stats prometheus.Registerer) (serverMetrics, error) {
 		})
 	err = stats.Register(rpcLag)
 	if err != nil {
-		are := prometheus.AlreadyRegisteredError{}
-		if errors.As(err, &are) {
+		are, ok := errors.AsType[prometheus.AlreadyRegisteredError](err)
+		if ok {
 			rpcLag = are.ExistingCollector.(prometheus.Histogram)
 		} else {
 			return serverMetrics{}, err

@@ -404,8 +404,8 @@ func ValidEmail(address string) error {
 
 // subError returns an appropriately typed error based on the input error
 func subError(ident identifier.ACMEIdentifier, err error) berrors.SubBoulderError {
-	var bErr *berrors.BoulderError
-	if errors.As(err, &bErr) {
+	bErr, ok := errors.AsType[*berrors.BoulderError](err)
+	if ok {
 		return berrors.SubBoulderError{
 			Identifier:   ident,
 			BoulderError: bErr,

@@ -1,6 +1,7 @@
 package policy
 
 import (
+	"errors"
 	"fmt"
 	"net/netip"
 	"os"
@@ -167,8 +168,8 @@ func TestWellFormedIdentifiers(t *testing.T) {
 			test.AssertNil(t, err, fmt.Sprintf("Unexpected error for %q identifier %q, got %s", tc.ident.Type, tc.ident.Value, err))
 		} else {
 			test.AssertError(t, err, fmt.Sprintf("Expected error for %q identifier %q, but got none", tc.ident.Type, tc.ident.Value))
-			var berr *berrors.BoulderError
-			test.AssertErrorWraps(t, err, &berr)
+			test.AssertErrorWraps[*berrors.BoulderError](t, err)
+			berr, _ := errors.AsType[*berrors.BoulderError](err)
 			test.AssertContains(t, berr.Error(), tc.err.Error())
 		}
 	}
@@ -263,9 +264,9 @@ func TestWillingToIssue(t *testing.T) {
 	for _, ident := range shouldBeBlocked {
 		err := pa.WillingToIssue(identifier.ACMEIdentifiers{ident})
 		test.AssertError(t, err, "identifier was not correctly forbidden")
-		var berr *berrors.BoulderError
-		test.AssertErrorWraps(t, err, &berr)
-		test.AssertContains(t, berr.Detail, errPolicyForbidden.Error())
+		test.AssertErrorWraps[*berrors.BoulderError](t, err)
+		berr, _ := errors.AsType[*berrors.BoulderError](err)
+		test.AssertContains(t, berr.Error(), errPolicyForbidden.Error())
 	}
 
 	// Test acceptance of good identifiers
@@ -361,8 +362,8 @@ func TestWillingToIssue_Wildcards(t *testing.T) {
 				test.AssertNil(t, err, fmt.Sprintf("Unexpected error for domain %q, got %s", tc.Domain, err))
 			} else {
 				test.AssertError(t, err, fmt.Sprintf("Expected error for domain %q, but got none", tc.Domain))
-				var berr *berrors.BoulderError
-				test.AssertErrorWraps(t, err, &berr)
+				test.AssertErrorWraps[*berrors.BoulderError](t, err)
+				berr, _ := errors.AsType[*berrors.BoulderError](err)
 				test.AssertContains(t, berr.Error(), tc.ExpectedErr.Error())
 			}
 		})

@@ -259,8 +259,8 @@ func (pub *Impl) SubmitToSingleCTWithResult(ctx context.Context, req *pubpb.Requ
 			return nil, err
 		}
 		var body string
-		var rspErr jsonclient.RspError
-		if errors.As(err, &rspErr) && rspErr.StatusCode < 500 {
+		rspErr, ok := errors.AsType[jsonclient.RspError](err)
+		if ok && rspErr.StatusCode < 500 {
 			body = string(rspErr.Body)
 		}
 		pub.log.InfoObject("Failed to submit certificate to CT log", struct {
@@ -302,8 +302,8 @@ func (pub *Impl) singleLogSubmit(
 			status = "canceled"
 		}
 		httpStatus := ""
-		var rspError ctClient.RspError
-		if errors.As(err, &rspError) && rspError.StatusCode != 0 {
+		rspError, ok := errors.AsType[ctClient.RspError](err)
+		if ok && rspError.StatusCode != 0 {
 			httpStatus = fmt.Sprintf("%d", rspError.StatusCode)
 		}
 		pub.metrics.submissionLatency.With(prometheus.Labels{

@@ -799,8 +799,8 @@ func (ra *RegistrationAuthorityImpl) recheckCAA(ctx context.Context, authzs []*c
 		// identifier from the authorization that was checked.
 		err := recheckResult.err
 		if err != nil {
-			var bErr *berrors.BoulderError
-			if errors.As(err, &bErr) && bErr.Type == berrors.CAA {
+			bErr, ok := errors.AsType[*berrors.BoulderError](err)
+			if ok && bErr.Type == berrors.CAA {
 				subErrors = append(subErrors, berrors.SubBoulderError{
 					Identifier:   recheckResult.authz.Identifier,
 					BoulderError: bErr})

@@ -1257,8 +1257,8 @@ func TestRecheckCAAFail(t *testing.T) {
 	err := ra.recheckCAA(context.Background(), authzs)
 
 	test.AssertError(t, err, "expected err, got nil")
-	var berr *berrors.BoulderError
-	test.AssertErrorWraps(t, err, &berr)
+	test.AssertErrorWraps[*berrors.BoulderError](t, err)
+	berr, _ := errors.AsType[*berrors.BoulderError](err)
 	test.AssertErrorIs(t, berr, berrors.CAA)
 	test.AssertEquals(t, len(berr.SubErrors), 2)
 
@@ -1291,7 +1291,9 @@ func TestRecheckCAAFail(t *testing.T) {
 	// It should error
 	test.AssertError(t, err, "expected err from recheckCAA")
 	// It should be a berror
-	test.AssertErrorWraps(t, err, &berr)
+	test.AssertErrorWraps[*berrors.BoulderError](t, err)
+	// Unwrap this err
+	berr, _ = errors.AsType[*berrors.BoulderError](err)
 	// There should be *no* suberrors because there was only one overall error
 	test.AssertEquals(t, len(berr.SubErrors), 0)
 }

@@ -57,8 +57,8 @@ func resultForError(err error) string {
 		// Caller canceled the operation.
 		return "canceled"
 	}
-	var netErr net.Error
-	if errors.As(err, &netErr) && netErr.Timeout() {
+	netErr, ok := errors.AsType[net.Error](err)
+	if ok && netErr.Timeout() {
 		// Dialer timed out connecting to Redis.
 		return "timeout"
 	}

@@ -118,8 +118,8 @@ func newLookup(srvLookups []cmd.ServiceDomain, dnsAuthority string, frequency ti
 func (look *lookup) updateNow(ctx context.Context) (tempError, nonTempError error) {
 	var tempErrs []error
 	handleDNSError := func(err error, srv cmd.ServiceDomain) {
-		var dnsErr *net.DNSError
-		if errors.As(err, &dnsErr) && (dnsErr.IsTimeout || dnsErr.IsTemporary) {
+		dnsErr, ok := errors.AsType[*net.DNSError](err)
+		if ok && (dnsErr.IsTimeout || dnsErr.IsTemporary) {
 			tempErrs = append(tempErrs, err)
 			return
 		}

@@ -93,8 +93,8 @@ func MustRegisterClientMetricsCollector(client poolStatGetter, stats prometheus.
 	}
 	err := stats.Register(newClientMetricsCollector(client, labels))
 	if err != nil {
-		are := prometheus.AlreadyRegisteredError{}
-		if errors.As(err, &are) {
+		_, ok := errors.AsType[prometheus.AlreadyRegisteredError](err)
+		if ok {
 			// The collector is already registered using the same labels.
 			return
 		}

@@ -8,6 +8,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"database/sql"
+	"errors"
 	"fmt"
 	"math/big"
 	"net/netip"
@@ -220,8 +221,8 @@ func TestModelToOrderBadJSON(t *testing.T) {
 		Error: badJSON,
 	})
 	test.AssertError(t, err, "expected error from modelToOrderv2")
-	var badJSONErr errBadJSON
-	test.AssertErrorWraps(t, err, &badJSONErr)
+	test.AssertErrorWraps[errBadJSON](t, err)
+	badJSONErr, _ := errors.AsType[errBadJSON](err)
 	test.AssertEquals(t, string(badJSONErr.json), string(badJSON))
 }
 
@@ -288,8 +289,8 @@ func TestPopulateAttemptedFieldsBadJSON(t *testing.T) {
 		t.Run(tc.Name, func(t *testing.T) {
 			err := populateAttemptedFields(*tc.Model, &corepb.Challenge{})
 			test.AssertError(t, err, "expected error from populateAttemptedFields")
-			var badJSONErr errBadJSON
-			test.AssertErrorWraps(t, err, &badJSONErr)
+			test.AssertErrorWraps[errBadJSON](t, err)
+			badJSONErr, _ := errors.AsType[errBadJSON](err)
 			test.AssertEquals(t, string(badJSONErr.json), string(badJSON))
 		})
 	}