It looks like you are affected by a change the Palo Alto company made to their firewalls.
Your symptom is identical to the one below. That is, it responds normally to regular requests but the acme-challenge path is rejected with "reset by peer". Once the firewall is fixed you will have to wait an hour due to your repeated failures