fix: enforce termsOfServiceAgreed when termsOfService is configured

[avasis-ai]

Summary

Per RFC 8555 §7.3.3, when an ACME provisioner has termsOfService configured, the server should reject newAccount requests that do not set termsOfServiceAgreed to true.

Previously, the server advertised termsOfService in the directory metadata but did not enforce that clients agree to it before creating an account.

Changes

• Added a check in NewAccount handler (acme/api/account.go) that returns an ErrorUserActionRequiredType ACME error when termsOfService is configured on the provisioner but the request does not include termsOfServiceAgreed: true.
• The error message includes the terms of service URL, as recommended by the RFC.

Testing

The fix follows the existing error handling pattern used for other ACME validation checks (e.g., onlyReturnExisting). The acmeProvisionerFromContext returns *provisioner.ACME which exposes the TermsOfService field, consistent with how it's accessed in handler.go for directory metadata.

Closes #2539

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}