I wish I'd thought of that
A clear case of "TL:DR".
Yes, I am not known for brevity
Quick update. Sorry it doesn't yet provide a solution.
Just thought I'd say that the curl results information has been passed to the parent company network team.
Also, is it possible to edit the screenshot in the beginning as the network team are concerned that private IP is shown...
Thank you. I'm on a call now so will update later
Firstly, may I thank you all in this thread who have contributed. The solution was indeed to create a rule on the Palo Alto firewall allowing acme-protocol to pass through. There were one or two other issues I think in the firewall which confused things for a while.
But ulitmately it was acme-protocol. Allow from public IP to internal IP. Initially this had been set to outbound only. Once it was set to inbound also, the site auto-renewed the certificate before I could make another manual attempt.
Many thanks for confirming Palo Alto firewall. Very helpful.