Maybe there's a Palo Alto firewall in front of it? There is definitely user-agent filtering going on.
With Let's Encrypt in the user-agent:
root@letsdebug:~# curl -i -H "User-Agent: Mozilla/5.0 (compatible; Let's Debug emulating Let's Encrypt validation server; +https://letsdebug.net)" http://spinnaker.cs.man.ac.uk/.well-known/acme-challenge/PAcqsH4as8Ung2z9TLS-y3OMy_WGd6t4XSfFmsa8xKI
curl: (56) Recv failure: Connection reset by peer
Changing it to Let's Not Encrypt it succeeds:
root@letsdebug:~# curl -i -H "User-Agent: Mozilla/5.0 (compatible; Let's Debug emulating Let's Not Encrypt validation server; +https://letsdebug.net)" http://spinnaker.cs.man.ac.uk/.well-known/acme-challenge/PAcqsH4as8Ung2z9TLS-y3OMy_WGd6t4XSfFmsa8xKI
HTTP/1.1 404 Not Found
Server: nginx/1.24.0
Date: Mon, 24 Jul 2023 09:35:47 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
Changing it back fails again:
root@letsdebug:~# curl -i -H "User-Agent: Mozilla/5.0 (compatible; Let's Debug emulating Let's Encrypt validation server; +https://letsdebug.net)" http://spinnaker.cs.man.ac.uk/.well-known/acme-challenge/PAcqsH4as8Ung2z9TLS-y3OMy_WGd6t4XSfFmsa8xKI
curl: (56) Recv failure: Connection reset by peer
For more info see Palo Alto firewall users with failing HTTP-01 challenges: enable "acme-protocol".