The operating system my web server runs on is (include version):
CentOS 8 - CentOS Stream release 8
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0
Further notes: It seems the temporary RewriteRules that certbot is adding to my virtual host are not working. I tried adding them manually just for testing purposes and I could not access a temp file I created in /var/lib/letsencrypt/http_challenges/ . I enabled a quick alias for the same directory and could access the file just fine. I have verified that mod_rewrite is enabled in Apache.
It looks like you have a firewall blocking certain IP addresses which includes one that the Let's Encrypt Server(s) use.
For the benefit of other volunteers, I looked but this is not a Palo Alto Networks ACME setting problem.
You can see from the Let's Debug test that an initial HTTP request to your domain got through and saw the expected 404 Not Found result.
But, the second test using the Let's Encrypt server staging system timed out. This is almost always an IP based firewall. Although, also look at any geographic based firewall
Thanks for the helpful response. This server is open widely on port 80 and 443, but I do know our network currently blocks traffic originating outside the US - so your "geographic based firewall" comment is a helpful hint.
Is there a known list of Let's Encrypt servers that could be used to update our firewall rules?
No, IP addresses of the servers are not published. The IP addresses change frequently on purpose to avoid interference from bad actors. Especially read the link in the below FAQ about multi perspective authentication
You may have to change to a DNS Challenge if you cannot open port 80 for the ACME HTTP Challenges
They check from multiple places, potentially around the world, to confirm that you actually own the name as seen from everywhere. Port 80 needs to be open worldwide in order to use HTTP-01.
If for some reason you can't do that because this is an internal-only system, then you need to use some other challenge type like DNS-01 (which still requires your DNS server to have port 53 available worldwide, but that's much more common).