Let’s Encrypt is out here on the public Internet. Even though you’re running certbot on your local QA environment, Let’s Encrypt needs to reach the named servers from the public Internet. It seems like instead when it tries to reach these servers it instead gets to your production servers, not the QA environment.
If you can fix that, so that qa.example.net (or whatever this system is called) leads to your QA environment from the public Internet, then you should be able to go ahead successfully. I understand that it can be embarrassing to reveal the real Fully Qualified Domain Names involved, but it will be very hard for us to help diagnose problems otherwise.
On the other hand, if you know you don’t want the QA environment to be accessible from the public Internet you need to use the DNS challenge instead of TLS-SNI-01. You can do this from the very latest certbot version (0.9.1 or later should be enough) or from shell scripts such as acme.sh BUT you need to be able to change DNS entries for your system from a program, or else it’s a huge pain to do this.