From 0d947828fece5d91cde6b1b25df36e6e972ae5d9 Mon Sep 17 00:00:00 2001
From: Zakir Jiwani <108548454+JiwaniZakir@users.noreply.github.com>
Date: Thu, 19 Mar 2026 21:24:08 +0000
Subject: [PATCH] fix: enforce termsOfServiceAgreed in ACME new-account
 requests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When a provisioner has termsOfService configured, reject new account
creation if termsOfServiceAgreed is not true, per RFC 8555 §7.3.3.

Fixes #2539
---
 acme/api/account.go      |  6 ++++++
 acme/api/account_test.go | 17 +++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/acme/api/account.go b/acme/api/account.go
index 3114dcb35..2237a9125 100644
--- a/acme/api/account.go
+++ b/acme/api/account.go
@@ -119,6 +119,12 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		if prov.TermsOfService != "" && !nar.TermsOfServiceAgreed {
+			render.Error(w, r, acme.NewError(acme.ErrorUserActionRequiredType,
+				"terms of service must be agreed to: %s", prov.TermsOfService))
+			return
+		}
+
 		jwk, err := jwkFromContext(ctx)
 		if err != nil {
 			render.Error(w, r, err)
diff --git a/acme/api/account_test.go b/acme/api/account_test.go
index b69830f92..6600e9bc4 100644
--- a/acme/api/account_test.go
+++ b/acme/api/account_test.go
@@ -480,6 +480,23 @@ func TestHandler_NewAccount(t *testing.T) {
 				err:        acme.NewError(acme.ErrorAccountDoesNotExistType, "account does not exist"),
 			}
 		},
+		"fail/terms-of-service-not-agreed": func(t *testing.T) test {
+			nar := &NewAccountRequest{
+				Contact: []string{"foo", "bar"},
+			}
+			b, err := json.Marshal(nar)
+			assert.FatalError(t, err)
+			p := newACMEProv(t)
+			p.TermsOfService = "https://terms.ca.local/"
+			ctx := context.WithValue(context.Background(), payloadContextKey, &payloadInfo{value: b})
+			ctx = acme.NewProvisionerContext(ctx, p)
+			return test{
+				db:         &acme.MockDB{},
+				ctx:        ctx,
+				statusCode: 400,
+				err:        acme.NewError(acme.ErrorUserActionRequiredType, "terms of service must be agreed to: https://terms.ca.local/"),
+			}
+		},
 		"fail/no-jwk": func(t *testing.T) test {
 			nar := &NewAccountRequest{
 				Contact: []string{"foo", "bar"},