Agreed. And, this problem is similar but not identical. With the cases so far the comms failure was "reset by peer" for URL paths including the acme challenge path. As shown in this thread.
This case shows an http 503 failure instead of "reset by peer". Maybe Palo Alto firewall has changed how they block such a request but it could be something else. Still, looks clearly like some sort of firewall or even server config blocking these specific kinds of requests.
(parts removed from responses for brevity)
curl -I ctf.sonoma.edu/.well-known/acme-challenge
HTTP/1.1 301 Moved Permanently
Server: nginx/1.20.1
Location: http://ctf.sonoma.edu/ctf/.well-known/acme-challenge
curl -I ctf.sonoma.edu/.well-known/acme-challenge/
HTTP/1.1 503 Service Unavailable
P3P: CP="CAO PSA OUR"
curl -I ctf.sonoma.edu/.well-known/acme-challenge/ForumTest
HTTP/1.1 503 Service Unavailable
P3P: CP="CAO PSA OUR"