The Unpause URL
I assume boulder.service.consul is some sort of placeholder/testing text, and the real domain would be something that lives under letsencrypt.org? (.consul doesn't seem to be a TLD)
In addition to the concerns about it being a long URL and the variety of ways that clients expose (or don't) the errors they get, I'm a little concerned that the URL is the only "password" used. It may not be that big a deal in practice, but any system that gets access to the log may automatically hit the address (such as when it gets pasted into this forum and the forum tries to figure out if there's a fancy boxed description to make for it). That is, URLs tend to become "public" (and crawled by search engines and whatnot), and while I don't know if there are any real security implications, I wonder if having a separate simple password that goes with the URL might be better, to ensure that the user actually has the whole log entry and is intending to use the page? (Along the lines of Please visit: https://letsencrypt.org.example/unpause/Abc…xyz and enter password 123456) Might just be overkill and add more confusion than it would solve; just brainstorming.
If the URL needs to be that long, I don't know if having some sort of delimiter around it (quotes or angle brackets or whatnot) would be better or worse.
Emailing the account holder?
Before an account goes onto the pause list, would an email would get sent to the contact? I'm sure in most cases they're not checking their email any more than they're checking their zombie client, but some other kind of contact might be a good plan in addition to shutting off access for the account to request authorizations. (Though as I said in the thread a few years ago, I'd like more emails from Let's Encrypt in general, but I'm probably odd in that way.)
Referring people to the community
While I understand that this is the only place the "Get Help" link on letsencrypt.org points to, I'm not really sure what we're supposed to be able to do to help people with some of these messages? If there's a "Scenario 2" with somebody who can't figure out how to copy/paste the URL (maybe their client is truncating the error message, or maybe they just are still learning how to use a terminal program), it may be tough for us to give much help in some cases. It's also not clear just from the error message just how "private" the URL is supposed to be, or what access it might give over their account. (And maybe that's another reason to separate out a "password", so that maybe it's clearer that the URL can't do anything to the account without the password.)
I don't really have a better plan, though. 
Thank you for going over all of this and soliciting feedback! I know I may come across negatively sometimes, but I do very much appreciate all the work you all do, and I hope this feature rolls out smoothly and helps take a lot of load off your poor burdened servers.