application/jose+json was for the
SimpleHTTP challenge. A recent spec revision replaced
http-01, which fixes a signature reuse issue. In theory, the required Content-Type is
SimpleHTTP challenges (which will soon go away), and
http-01, which is currently implemented and available in staging and prod. However, looking at the code, it appears that neither Content-Type is currently enforced in Boulder. I’ve filed a bug: https://github.com/letsencrypt/boulder/issues/1089.
Note that the client does it’s own pre-check before submitting the request to Boulder for validation, and the client check is currently stricter than Boulder. Reading the client code, it appears that the client only allows
text/plain, when it should really allow either that or no Content-Type header. Filed a bug: https://github.com/letsencrypt/letsencrypt/issues/1356
Thanks for bringing up this issue!