diff --git a/authority/config/tls_options.go b/authority/config/tls_options.go
index 5ef6c8942..2d6de084b 100644
--- a/authority/config/tls_options.go
+++ b/authority/config/tls_options.go
@@ -169,7 +169,6 @@ func (t *TLSOptions) TLSConfig() *tls.Config {
 		rs = tls.RenegotiateNever
 	}
 
-	//nolint:gosec // default MinVersion 1.2, if defined but empty 1.3 is used
 	return &tls.Config{
 		CipherSuites:  t.CipherSuites.Value(),
 		MinVersion:    t.MinVersion.Value(),
diff --git a/authority/poolhttp/poolhttp.go b/authority/poolhttp/poolhttp.go
index e0753ece9..dd8c5a11a 100644
--- a/authority/poolhttp/poolhttp.go
+++ b/authority/poolhttp/poolhttp.go
@@ -70,10 +70,10 @@ func (c *Client) Get(u string) (resp *http.Response, err error) {
 // as redirects, cookies, auth) as configured on the client.
 func (c *Client) Do(req *http.Request) (resp *http.Response, err error) {
 	if hc := c.getClient(); hc != nil {
-		resp, err = hc.Do(req) //nolint:gosec // intentional HTTP request to configured endpoint
+		resp, err = hc.Do(req)
 		c.pool.Put(hc)
 	} else {
-		resp, err = http.DefaultClient.Do(req) //nolint:gosec // intentional HTTP request to configured endpoint
+		resp, err = http.DefaultClient.Do(req)
 	}
 
 	return
diff --git a/ca/client.go b/ca/client.go
index b4acf6fb9..34698a18b 100644
--- a/ca/client.go
+++ b/ca/client.go
@@ -143,7 +143,7 @@ func enforceRequestID(r *http.Request) {
 func (c *uaClient) Do(req *http.Request) (*http.Response, error) {
 	req.Header.Set("User-Agent", UserAgent)
 	enforceRequestID(req)
-	return c.Client.Do(req) //nolint:gosec // request to user-configured CA server
+	return c.Client.Do(req)
 }
 
 // RetryFunc defines the method used to retry a request. If it returns true, the