I got a fake certificate from your staging server. Perfect. So far, so good.
Then I shut down my server and ran my software again. I got another certificate! It appears to me that your server didn’t bother to challenge my server the second time.
Why should you issue a certificate to a server that is not even running, thus not able to satisfy your challenge?
TL:DR the challenge authenication is “binded” to your account key and that stays valid even after the challenge validation is completed for a period of time. The server realizes this and uses the cached validation.