diff --git a/wfe/web-front-end.go b/wfe/web-front-end.go
index a9a1da249..847b32ef2 100644
--- a/wfe/web-front-end.go
+++ b/wfe/web-front-end.go
@@ -887,7 +887,7 @@ func (wfe *WebFrontEndImpl) Challenge(
 	logEvent.Extra["AuthorizationExpires"] = authz.Expires
 
 	switch request.Method {
-	case "GET":
+	case "GET", "HEAD":
 		wfe.getChallenge(response, request, authz, &challenge, &logEvent)
 
 	case "POST":
diff --git a/wfe/web-front-end_test.go b/wfe/web-front-end_test.go
index 80cb5e6c2..892e42382 100644
--- a/wfe/web-front-end_test.go
+++ b/wfe/web-front-end_test.go
@@ -666,6 +666,44 @@ func TestIssueCertificate(t *testing.T) {
 	test.AssertContains(t, reqlogs[0].Message, `"CommonName":"not-an-example.com",`)
 }
 
+func TestGetChallenge(t *testing.T) {
+	wfe := setupWFE(t)
+
+	wfe.RA = &MockRegistrationAuthority{}
+	wfe.SA = &mocks.StorageAuthority{}
+
+	challengeURL := "/acme/challenge/valid/23"
+
+	for _, method := range []string{"GET", "HEAD"} {
+		resp := httptest.NewRecorder()
+
+		req, err := http.NewRequest(method, challengeURL, nil)
+		test.AssertNotError(t, err, "Could not make NewRequest")
+
+		wfe.Challenge(resp, req)
+		test.AssertEquals(t,
+			resp.Code,
+			http.StatusAccepted)
+		test.AssertEquals(t,
+			resp.Header().Get("Location"),
+			challengeURL)
+		test.AssertEquals(t,
+			resp.Header().Get("Content-Type"),
+			"application/json")
+		test.AssertEquals(t,
+			resp.Header().Get("Link"),
+			`</acme/authz/valid>;rel="up"`)
+		// Body is only relevant for GET. For HEAD, body will
+		// be discarded by HandleFunc() anyway, so it doesn't
+		// matter what Challenge() writes to it.
+		if method == "GET" {
+			test.AssertEquals(
+				t, resp.Body.String(),
+				`{"type":"dns","uri":"/acme/challenge/valid/23"}`)
+		}
+	}
+}
+
 func TestChallenge(t *testing.T) {
 	wfe := setupWFE(t)