Well, we haven't seen one of these in quite a while.
There is a (very good) chance that your server hosting company is using a Palo Alto brand firewall.
That brand has an "Application" setting on the firewall for "ACME Protocol". They need to allow that. Some time back Palo Alto disabled ACME by default and we saw these problems often.
Even if not that brand they must have something similar in their firewall.
From my own AWS-based test server see the results below. You can probably easily reproduce this from other client systems. Using a "user-agent" string similar to Let's Encrypt fails with "reset by peer". The default curl string works as expected.
curl -i http://cedar.portagebay.com/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/10.0
curl -i http://cedar.portagebay.com/.well-known/acme-challenge/Test404 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer