Yeah, I agree with Rudy and Peter this is most likely a Palo Alto Networks firewall causing a problem. We have seen several different symptoms from their recent (last few months) changes to their default rules.
The first set of symptoms is shown here:
Later variations of this are to see a response but with a certain set of response headers for requests to your server. But, that is not your case. Another variation is to only happen when using a user-agent that matches the Let's Encrypt servers. Your tests show this is not your variation.
In short, you are suffering from the "Classic" Palo Alto block 
(almost certainly)
Look for an Application Rule about "acme protocol" in your firewall.