diff --git a/ca/bootstrap_test.go b/ca/bootstrap_test.go
index 9aaa5f1f..1cda8232 100644
--- a/ca/bootstrap_test.go
+++ b/ca/bootstrap_test.go
@@ -53,7 +53,11 @@ func startCABootstrapServer() *httptest.Server {
 	if err != nil {
 		panic(err)
 	}
+	baseContext := buildContext(ca.auth, nil, nil, nil)
 	srv.Config.Handler = ca.srv.Handler
+	srv.Config.BaseContext = func(net.Listener) context.Context {
+		return baseContext
+	}
 	srv.TLS = ca.srv.TLSConfig
 	srv.StartTLS()
 	// Force the use of GetCertificate on IPs
diff --git a/ca/ca_test.go b/ca/ca_test.go
index e4c35a90..29eac575 100644
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@@ -2,6 +2,7 @@ package ca
 
 import (
 	"bytes"
+	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/sha1"
@@ -281,7 +282,8 @@ ZEp7knvU2psWRw==
 			assert.FatalError(t, err)
 			rr := httptest.NewRecorder()
 
-			tc.ca.srv.Handler.ServeHTTP(rr, rq)
+			ctx := authority.NewContext(context.Background(), tc.ca.auth)
+			tc.ca.srv.Handler.ServeHTTP(rr, rq.WithContext(ctx))
 
 			if assert.Equals(t, rr.Code, tc.status) {
 				body := &ClosingBuffer{rr.Body}
@@ -360,7 +362,8 @@ func TestCAProvisioners(t *testing.T) {
 			assert.FatalError(t, err)
 			rr := httptest.NewRecorder()
 
-			tc.ca.srv.Handler.ServeHTTP(rr, rq)
+			ctx := authority.NewContext(context.Background(), tc.ca.auth)
+			tc.ca.srv.Handler.ServeHTTP(rr, rq.WithContext(ctx))
 
 			if assert.Equals(t, rr.Code, tc.status) {
 				body := &ClosingBuffer{rr.Body}
@@ -426,7 +429,8 @@ func TestCAProvisionerEncryptedKey(t *testing.T) {
 			assert.FatalError(t, err)
 			rr := httptest.NewRecorder()
 
-			tc.ca.srv.Handler.ServeHTTP(rr, rq)
+			ctx := authority.NewContext(context.Background(), tc.ca.auth)
+			tc.ca.srv.Handler.ServeHTTP(rr, rq.WithContext(ctx))
 
 			if assert.Equals(t, rr.Code, tc.status) {
 				body := &ClosingBuffer{rr.Body}
@@ -487,7 +491,8 @@ func TestCARoot(t *testing.T) {
 			assert.FatalError(t, err)
 			rr := httptest.NewRecorder()
 
-			tc.ca.srv.Handler.ServeHTTP(rr, rq)
+			ctx := authority.NewContext(context.Background(), tc.ca.auth)
+			tc.ca.srv.Handler.ServeHTTP(rr, rq.WithContext(ctx))
 
 			if assert.Equals(t, rr.Code, tc.status) {
 				body := &ClosingBuffer{rr.Body}
@@ -534,7 +539,8 @@ func TestCAHealth(t *testing.T) {
 			assert.FatalError(t, err)
 			rr := httptest.NewRecorder()
 
-			tc.ca.srv.Handler.ServeHTTP(rr, rq)
+			ctx := authority.NewContext(context.Background(), tc.ca.auth)
+			tc.ca.srv.Handler.ServeHTTP(rr, rq.WithContext(ctx))
 
 			if assert.Equals(t, rr.Code, tc.status) {
 				body := &ClosingBuffer{rr.Body}
@@ -628,7 +634,8 @@ func TestCARenew(t *testing.T) {
 			rq.TLS = tc.tlsConnState
 			rr := httptest.NewRecorder()
 
-			tc.ca.srv.Handler.ServeHTTP(rr, rq)
+			ctx := authority.NewContext(context.Background(), tc.ca.auth)
+			tc.ca.srv.Handler.ServeHTTP(rr, rq.WithContext(ctx))
 
 			if assert.Equals(t, rr.Code, tc.status) {
 				body := &ClosingBuffer{rr.Body}
diff --git a/ca/tls_test.go b/ca/tls_test.go
index 93dbe9b3..946a6cb5 100644
--- a/ca/tls_test.go
+++ b/ca/tls_test.go
@@ -10,6 +10,7 @@ import (
 	"encoding/hex"
 	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -77,7 +78,12 @@ func startCATestServer() *httptest.Server {
 		panic(err)
 	}
 	// Use a httptest.Server instead
-	return startTestServer(ca.srv.TLSConfig, ca.srv.Handler)
+	srv := startTestServer(ca.srv.TLSConfig, ca.srv.Handler)
+	baseContext := buildContext(ca.auth, nil, nil, nil)
+	srv.Config.BaseContext = func(net.Listener) context.Context {
+		return baseContext
+	}
+	return srv
 }
 
 func sign(domain string) (*Client, *api.SignResponse, crypto.PrivateKey) {