diff --git a/management/auth.py b/management/auth.py
index 2d5b8a36..36112572 100644
--- a/management/auth.py
+++ b/management/auth.py
@@ -49,10 +49,12 @@ class AuthService:
 
 		username, password = parse_http_authorization_basic(request.headers.get('Authorization', ''))
 		if username in {None, ""}:
-			raise ValueError("Authorization header invalid.")
+			msg = "Authorization header invalid."
+			raise ValueError(msg)
 
 		if username.strip() == "" and password.strip() == "":
-			raise ValueError("No email address, password, session key, or API key provided.")
+			msg = "No email address, password, session key, or API key provided."
+			raise ValueError(msg)
 
 		# If user passed the system API key, grant administrative privs. This key
 		# is not associated with a user.
@@ -72,7 +74,8 @@ class AuthService:
 
 		# If no password was given, but a username was given, we're missing some information.
 		elif password.strip() == "":
-			raise ValueError("Enter a password.")
+			msg = "Enter a password."
+			raise ValueError(msg)
 
 		else:
 			# The user is trying to log in with a username and a password
@@ -114,7 +117,8 @@ class AuthService:
 				])
 		except:
 			# Login failed.
-			raise ValueError("Incorrect email address or password.")
+			msg = "Incorrect email address or password."
+			raise ValueError(msg)
 
 		# If MFA is enabled, check that MFA passes.
 		status, hints = validate_auth_mfa(email, request, env)
diff --git a/management/backup.py b/management/backup.py
index bb6dff9a..75046971 100755
--- a/management/backup.py
+++ b/management/backup.py
@@ -507,7 +507,8 @@ def list_target_files(config):
 			path = ''
 
 		if bucket == "":
-			raise ValueError("Enter an S3 bucket name.")
+			msg = "Enter an S3 bucket name."
+			raise ValueError(msg)
 
 		# connect to the region & bucket
 		try:
@@ -535,7 +536,8 @@ def list_target_files(config):
 			b2_api.authorize_account("production", b2_application_keyid, b2_application_key)
 			bucket = b2_api.get_bucket_by_name(b2_bucket)
 		except NonExistentBucket as e:
-			raise ValueError("B2 Bucket does not exist. Please double check your information!")
+			msg = "B2 Bucket does not exist. Please double check your information!"
+			raise ValueError(msg)
 		return [(key.file_name, key.size) for key, _ in bucket.ls()]
 
 	else:
diff --git a/management/dns_update.py b/management/dns_update.py
index 23aee2a5..c9e4d359 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -919,7 +919,8 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 	rtype = rtype.upper()
 	if value is not None and qname != "_secondary_nameserver":
 		if not re.search(DOMAIN_RE, qname):
-			raise ValueError("Invalid name.")
+			msg = "Invalid name."
+			raise ValueError(msg)
 
 		if rtype in {"A", "AAAA"}:
 			if value != "local": # "local" is a special flag for us
@@ -928,14 +929,16 @@ def set_custom_dns_record(qname, rtype, value, action, env):
 				if rtype == "AAAA" and not isinstance(v, ipaddress.IPv6Address): raise ValueError("That's an IPv4 address.")
 		elif rtype in {"CNAME", "NS"}:
 			if rtype == "NS" and qname == zone:
-				raise ValueError("NS records can only be set for subdomains.")
+				msg = "NS records can only be set for subdomains."
+				raise ValueError(msg)
 
 			# ensure value has a trailing dot
 			if not value.endswith("."):
 				value = value + "."
 
 			if not re.search(DOMAIN_RE, value):
-				raise ValueError("Invalid value.")
+				msg = "Invalid value."
+				raise ValueError(msg)
 		elif rtype in {"CNAME", "TXT", "SRV", "MX", "SSHFP", "CAA"}:
 			# anything goes
 			pass
diff --git a/management/mailconfig.py b/management/mailconfig.py
index 3bfc8dc0..cfdc3239 100755
--- a/management/mailconfig.py
+++ b/management/mailconfig.py
@@ -608,9 +608,11 @@ def kick(env, mail_result=None):
 def validate_password(pw):
 	# validate password
 	if pw.strip() == "":
-		raise ValueError("No password provided.")
+		msg = "No password provided."
+		raise ValueError(msg)
 	if len(pw) < 8:
-		raise ValueError("Passwords must be at least eight characters.")
+		msg = "Passwords must be at least eight characters."
+		raise ValueError(msg)
 
 if __name__ == "__main__":
 	import sys
diff --git a/management/mfa.py b/management/mfa.py
index 32eb5183..148fd912 100644
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -41,9 +41,11 @@ def enable_mfa(email, type, secret, token, label, env):
 		# Sanity check with the provide current token.
 		totp = pyotp.TOTP(secret)
 		if not totp.verify(token, valid_window=1):
-			raise ValueError("Invalid token.")
+			msg = "Invalid token."
+			raise ValueError(msg)
 	else:
-		raise ValueError("Invalid MFA type.")
+		msg = "Invalid MFA type."
+		raise ValueError(msg)
 
 	conn, c = open_database(env, with_connection=True)
 	c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
@@ -67,9 +69,11 @@ def disable_mfa(email, mfa_id, env):
 
 def validate_totp_secret(secret):
 	if type(secret) != str or secret.strip() == "":
-		raise ValueError("No secret provided.")
+		msg = "No secret provided."
+		raise ValueError(msg)
 	if len(secret) != 32:
-		raise ValueError("Secret should be a 32 characters base32 string")
+		msg = "Secret should be a 32 characters base32 string"
+		raise ValueError(msg)
 
 def provision_totp(email, env):
 	# Make a new secret.
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 77a411b6..8ff43b11 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -624,7 +624,8 @@ def load_cert_chain(pemfile):
 		pem = f.read() + b"\n" # ensure trailing newline
 		pemblocks = re.findall(re_pem, pem)
 		if len(pemblocks) == 0:
-			raise ValueError("File does not contain valid PEM data.")
+			msg = "File does not contain valid PEM data."
+			raise ValueError(msg)
 		return pemblocks
 
 def load_pem(pem):
@@ -635,7 +636,8 @@ def load_pem(pem):
 	from cryptography.hazmat.backends import default_backend
 	pem_type = re.match(b"-+BEGIN (.*?)-+[\r\n]", pem)
 	if pem_type is None:
-		raise ValueError("File is not a valid PEM-formatted file.")
+		msg = "File is not a valid PEM-formatted file."
+		raise ValueError(msg)
 	pem_type = pem_type.group(1)
 	if pem_type in {b"RSA PRIVATE KEY", b"PRIVATE KEY"}:
 		return serialization.load_pem_private_key(pem, password=None, backend=default_backend())
diff --git a/tests/fail2ban.py b/tests/fail2ban.py
index 9979507f..254232c4 100644
--- a/tests/fail2ban.py
+++ b/tests/fail2ban.py
@@ -39,7 +39,8 @@ def smtp_test():
 
 	try:
 		server.login("fakeuser", "fakepassword")
-		raise Exception("authentication didn't fail")
+		msg = "authentication didn't fail"
+		raise Exception(msg)
 	except smtplib.SMTPAuthenticationError:
 		# athentication should fail
 		pass
@@ -61,7 +62,8 @@ def imap_test():
 
 	try:
 		M.login("fakeuser", "fakepassword")
-		raise Exception("authentication didn't fail")
+		msg = "authentication didn't fail"
+		raise Exception(msg)
 	except imaplib.IMAP4.error:
 		# authentication should fail
 		pass
@@ -85,7 +87,8 @@ def pop_test():
 			M = None # don't .quit()
 			return
 		M.list()
-		raise Exception("authentication didn't fail")
+		msg = "authentication didn't fail"
+		raise Exception(msg)
 	finally:
 		if M:
 			M.quit()
@@ -103,7 +106,8 @@ def managesieve_test():
 
 	try:
 		M.login("fakeuser", "fakepassword")
-		raise Exception("authentication didn't fail")
+		msg = "authentication didn't fail"
+		raise Exception(msg)
 	except imaplib.IMAP4.error:
 		# authentication should fail
 		pass