If you fail to obtain certificate from staging environment, but you're able to do so on production instance, this may be to changes in validation process. To improve security of certificate issuance (protection from BGP-directed attacks, causing CAs to believe that the challenge was completed by authorized server owner, while traffic to given IP address was being redirected to the attacker), Let's Encrypt started to validate challenges from various different network locations simultaneously (for now, on staging only). See:
Also, please note that if your domain name itself is really confidential, probably you shouldn't use it with Let's Encrypt (or with any other publicly trusted CA - since April 2018, when Google Chrome starts to enforce CT), as all certificates get logged to publicly available Certificate Transparency log servers (and once they get logged, you won't be able to remove it from log - by design they are append-only). If you got certificate from production LE environment, it will be visible there: https://crt.sh/?Identity=%25&iCAID=16418 (this is only a CT log browser, which aggregates certificates from different logs).