@craiga You almost certainly have a Palo Alto Networks brand firewall blocking the ACME HTTP Challenge. I can reach your domain unless I use a user-agent the same as Let's Encrypt uses (which Let's Debug also uses).
You need to change the Palo Alto firewall to allow "acme-protocol" in the Applications section. Show your network team the two requests below. Both should result in a 404 but you can see the one with the user-agent like LE fails. We have seen this problem often.
curl -i http://arno.com/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Server: Apache/2.4.18 (Ubuntu)
curl -i http://arno.com/.well-known/acme-challenge/Test404 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer