When you pass any kind of ownership challenge for your domain, Let’s Encrypt stores an authorization for that domain (associated with your account key) that gives you the ability to issue additional certificates for a certain period (currently 90 days, probably going to be changed to ~7 days in the future). My best guess is that you successfully passed a http-01 (webroot) challenge at one point, and the authorization you got is still valid, so Let’s Encrypt doesn’t bother to check whether you’re actually able to solve the challenge again.
Since the staging environment (which is what’s used when you run with --dry-run) doesn’t share the same database as production, you don’t have a valid authorization associated with your account key there, so no luck without passing the challenge.