diff --git a/go.mod b/go.mod
index 9e4cda2ea3d64c542855c59af33d95847a79188b..ce045d21590a1458fd421e357d93d8801ceff268 100644
--- a/go.mod
+++ b/go.mod
@@ -3,8 +3,8 @@ module git.autistici.org/ai3/accountserver
 go 1.14
 
 require (
-	git.autistici.org/ai3/go-common v0.0.0-20221125154433-06304016b1da
-	git.autistici.org/ai3/tools/aux-db v0.0.0-20221125171454-d54e4d0b7cce
+	git.autistici.org/ai3/go-common v0.0.0-20230526131513-5afdaf014661
+	git.autistici.org/ai3/tools/aux-db v0.0.0-20230526180147-f1817237ce25
 	git.autistici.org/id/auth v0.0.0-20221218082828-0c11710e98c8
 	git.autistici.org/id/go-sso v0.0.0-20221216110623-a98dfc78fec5
 	git.autistici.org/id/usermetadb v0.0.0-20221125171152-3bbb63732147
diff --git a/go.sum b/go.sum
index 9cad140942eb014f5e184313417d8ff0b1eaf58c..d8aae95023fe0398b36c4955ba9fe52262d95c2f 100644
--- a/go.sum
+++ b/go.sum
@@ -61,12 +61,16 @@ git.autistici.org/ai3/go-common v0.0.0-20220817083651-2152f73e6a30 h1:0bAV2xv3Ss
 git.autistici.org/ai3/go-common v0.0.0-20220817083651-2152f73e6a30/go.mod h1:KckkZ6BZT7trRIKwnGoGj1DyfxywC/p+y2qHaQkT+xE=
 git.autistici.org/ai3/go-common v0.0.0-20221125154433-06304016b1da h1:fizdAjFv2vWz+83IoeRW2L0Shyo3dDquXyQKWRGs4jc=
 git.autistici.org/ai3/go-common v0.0.0-20221125154433-06304016b1da/go.mod h1:FTGqOGPpuoFg7TiHshYCyp5j1Ab3ek0J0KcS++vEjxw=
+git.autistici.org/ai3/go-common v0.0.0-20230526131513-5afdaf014661 h1:QidAfAxaIMWWu52luWF30wvRpv7t+Ic73xxsTUENqSU=
+git.autistici.org/ai3/go-common v0.0.0-20230526131513-5afdaf014661/go.mod h1:FTGqOGPpuoFg7TiHshYCyp5j1Ab3ek0J0KcS++vEjxw=
 git.autistici.org/ai3/tools/aux-db v0.0.0-20220814163905-70f7fecce790 h1:YhJMXYksPqVRfvk5jBlNhfF7IiZ6vWF6MlPhgX3b/jM=
 git.autistici.org/ai3/tools/aux-db v0.0.0-20220814163905-70f7fecce790/go.mod h1:UD0byKUa4u+SJYRkPfBerIUlASywoMjv6bhRFHH1Z2M=
 git.autistici.org/ai3/tools/aux-db v0.0.0-20220818160227-5d7178bfa00b h1:rAYBa3/MithR4BY9IVuMksCwW/DqDw6vNLsn046TWtI=
 git.autistici.org/ai3/tools/aux-db v0.0.0-20220818160227-5d7178bfa00b/go.mod h1:1dMB/4qj2GrNQ1SwjnhY9wK/BHYPvzHJe+2hEW3B9H4=
 git.autistici.org/ai3/tools/aux-db v0.0.0-20221125171454-d54e4d0b7cce h1:8M1n4NOPHTdMBNoK5FraXkhELLhOZjj1GjaUsAa1D7Q=
 git.autistici.org/ai3/tools/aux-db v0.0.0-20221125171454-d54e4d0b7cce/go.mod h1:fppRZj6HUHq7w7HJiWrS1edO7B7EA1Ok4RftjusP++0=
+git.autistici.org/ai3/tools/aux-db v0.0.0-20230526180147-f1817237ce25 h1:uwgKBgr/jKA6v4LEkQf9mMsCymcX8SGOcJOnjp/39OU=
+git.autistici.org/ai3/tools/aux-db v0.0.0-20230526180147-f1817237ce25/go.mod h1:xpSYLTUVjg+qRdyIRLmsqj5es/ih+WHNSOwGesFgesM=
 git.autistici.org/id/auth v0.0.0-20220817085144-ff8510edf7c8 h1:33Nyqa9zqO89IK2rkE1BnfqNagp2tGotJXGHVS0VvTc=
 git.autistici.org/id/auth v0.0.0-20220817085144-ff8510edf7c8/go.mod h1:R8GERlQ1XT0ArPksnZv/DaWX+BlJQO6OBHNGT+OIDJo=
 git.autistici.org/id/auth v0.0.0-20220830193236-daf8fb80b4da h1:qmIU0u+oJZFGrHuQq690aM2IqqkcQtfI/BQz7XD15oE=
diff --git a/vendor/git.autistici.org/ai3/go-common/serverutil/http.go b/vendor/git.autistici.org/ai3/go-common/serverutil/http.go
index b2575350bcb11e0099375aee69a3b4f37a3500c7..ebfe6b6f7a914b34d76e4e19ae906f8ba9439b3d 100644
--- a/vendor/git.autistici.org/ai3/go-common/serverutil/http.go
+++ b/vendor/git.autistici.org/ai3/go-common/serverutil/http.go
@@ -104,13 +104,20 @@ func (config *ServerConfig) buildHTTPHandler(h http.Handler) (http.Handler, *tls
 	return h, tlsConfig, nil
 }
 
-// Serve HTTP(S) content on the specified address. If config.TLS is
-// not nil, enable HTTPS and TLS authentication.
-//
-// This function will return an error if there are problems creating
-// the listener, otherwise it will handle graceful termination on
-// SIGINT or SIGTERM and return nil.
-func Serve(h http.Handler, config *ServerConfig, addr string) error {
+func buildListener(addr string, tlsConfig *tls.Config) (net.Listener, error) {
+	// Create the net.Listener first, so we can detect
+	// initialization-time errors safely.
+	l, err := net.Listen("tcp", addr)
+	if err != nil {
+		return nil, err
+	}
+	if tlsConfig != nil {
+		l = tls.NewListener(l, tlsConfig)
+	}
+	return l, nil
+}
+
+func buildServer(h http.Handler, config *ServerConfig, addr string) (*http.Server, error) {
 	// Wrap with tracing handler (exclude metrics and other
 	// debugging endpoints).
 	h = tracing.WrapHandler(h, guessEndpointName(addr))
@@ -118,7 +125,7 @@ func Serve(h http.Handler, config *ServerConfig, addr string) error {
 	// Create the top-level HTTP handler with all our additions.
 	hh, tlsConfig, err := config.buildHTTPHandler(h)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	// These are not meant to be external-facing servers, so we
@@ -131,14 +138,24 @@ func Serve(h http.Handler, config *ServerConfig, addr string) error {
 		TLSConfig:         tlsConfig,
 	}
 
-	// Create the net.Listener first, so we can detect
-	// initialization-time errors safely.
-	l, err := net.Listen("tcp", addr)
+	return srv, nil
+}
+
+// Serve HTTP(S) content on the specified address. If config.TLS is
+// not nil, enable HTTPS and TLS authentication.
+//
+// This function will return an error if there are problems creating
+// the listener, otherwise it will handle graceful termination on
+// SIGINT or SIGTERM and return nil.
+func Serve(h http.Handler, config *ServerConfig, addr string) error {
+	srv, err := buildServer(h, config, addr)
 	if err != nil {
 		return err
 	}
-	if srv.TLSConfig != nil {
-		l = tls.NewListener(l, srv.TLSConfig)
+
+	l, err := buildListener(addr, srv.TLSConfig)
+	if err != nil {
+		return err
 	}
 
 	// Install a signal handler for gentle process termination.
@@ -176,6 +193,38 @@ func Serve(h http.Handler, config *ServerConfig, addr string) error {
 	return nil
 }
 
+// ServeWithContext operates like Serve but with a controlling Context
+// that can be used to stop the HTTP server.
+func ServeWithContext(ctx context.Context, h http.Handler, config *ServerConfig, addr string) error {
+	srv, err := buildServer(h, config, addr)
+	if err != nil {
+		return err
+	}
+
+	l, err := buildListener(addr, srv.TLSConfig)
+	if err != nil {
+		return err
+	}
+
+	go func() {
+		<-ctx.Done()
+
+		sctx, cancel := context.WithTimeout(context.Background(), gracefulShutdownTimeout)
+		srv.Shutdown(sctx) // nolint: errcheck
+		srv.Close()
+		cancel()
+	}()
+
+	daemon.SdNotify(false, "READY=1") // nolint
+
+	err = srv.Serve(l)
+	if err == http.ErrServerClosed {
+		err = nil
+	}
+
+	return err
+}
+
 func addDefaultHandlers(h http.Handler) http.Handler {
 	root := http.NewServeMux()
 
diff --git a/vendor/git.autistici.org/ai3/go-common/serverutil/tls.go b/vendor/git.autistici.org/ai3/go-common/serverutil/tls.go
index 21c002b8baaae892f04f481b84a23e1aa7a34067..b81b0470dc296240ac81c734791e080f8b5416dd 100644
--- a/vendor/git.autistici.org/ai3/go-common/serverutil/tls.go
+++ b/vendor/git.autistici.org/ai3/go-common/serverutil/tls.go
@@ -123,6 +123,7 @@ func (c *TLSServerConfig) TLSConfig() (*tls.Config, error) {
 		CipherSuites:             serverCiphers,
 		MinVersion:               tls.VersionTLS12,
 		PreferServerCipherSuites: true,
+		NextProtos:               []string{"h2", "http/1.1"},
 	}
 
 	// Require client certificates if a CA is specified.
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 3fd221492711062d37067f1c30c9b5a9fc6e7247..b6e55a2b28530eeb167daddab0f6d4e0be886eb1 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -1,6 +1,6 @@
 # cloud.google.com/go v0.88.0
 cloud.google.com/go/compute/metadata
-# git.autistici.org/ai3/go-common v0.0.0-20221125154433-06304016b1da
+# git.autistici.org/ai3/go-common v0.0.0-20230526131513-5afdaf014661
 ## explicit
 git.autistici.org/ai3/go-common
 git.autistici.org/ai3/go-common/clientutil
@@ -10,7 +10,7 @@ git.autistici.org/ai3/go-common/pwhash
 git.autistici.org/ai3/go-common/serverutil
 git.autistici.org/ai3/go-common/tracing
 git.autistici.org/ai3/go-common/userenckey
-# git.autistici.org/ai3/tools/aux-db v0.0.0-20221125171454-d54e4d0b7cce
+# git.autistici.org/ai3/tools/aux-db v0.0.0-20230526180147-f1817237ce25
 ## explicit
 git.autistici.org/ai3/tools/aux-db/proto
 # git.autistici.org/id/auth v0.0.0-20221218082828-0c11710e98c8