Fixed certificate template fetch failing with misleading DNS errors

[getvictor]

Related issue: Resolves #42624

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests

• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)

• QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

• Confirmed that the fix is not expected to adversely impact load test results
• Alerted the release DRI if additional load testing is needed

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.
• Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
• Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

New Fleet configuration settings

• Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

• Verified that the setting is exported via fleetctl generate-gitops
• Verified the setting is documented in a separate PR to the GitOps documentation
• Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
• Verified that any relevant UI is disabled when GitOps mode is enabled

fleetd/orbit/Fleet Desktop

• Verified compatibility with the latest released version of Fleet (see Must rule)
• If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes
• Verified that fleetd runs on macOS, Linux and Windows
• Verified auto-update works from the released version of component to the new version (see tools/tuf/test)

Summary by CodeRabbit

• Bug Fixes
  • Fixed certificate template retrieval failures that displayed misleading DNS errors. Optimized HTTP request header handling for GET requests to prevent these errors during certificate enrollment operations.

[getvictor]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[Copilot]

Pull request overview

Fixes the Android agent’s certificate template GET request behavior to avoid sending a Content-Type: application/json header on bodyless GETs, which can be rejected by intermediaries and surface as misleading DNS errors (per #42624).

Changes:

• Only set Content-Type: application/json when a request actually writes a JSON body (non-GET with non-null body).
• Remove dead code in getCertificateTemplate that previously constructed a request body for a GET.
• Add a regression test asserting GET certificate template retries do not include a Content-Type header.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
android/app/src/main/java/com/fleetdm/agent/ApiClient.kt	Moves Content-Type header setting into the body-writing path; removes unused GET-body code for certificate templates.
android/app/src/test/java/com/fleetdm/agent/ApiClientReenrollTest.kt	Adds assertion that GET requests (certificate template fetch) do not include Content-Type.
android/changes/42624-fix-certificate-template-get-content-type	Adds Android changelog entry for the fix.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b535fa28-f0ba-4aab-b174-f2bef6403c1f

📥 Commits

Reviewing files that changed from the base of the PR and between 181bc1b and 7d291c1.

📒 Files selected for processing (4)

• android/app/src/main/java/com/fleetdm/agent/ApiClient.kt
• android/app/src/test/java/com/fleetdm/agent/ApiClientReenrollTest.kt
• android/changes/.keep
• android/changes/42624-fix-certificate-template-get-content-type

---

Walkthrough

This PR modifies the ApiClient to conditionally set the Content-Type: application/json header only when a request has a body and the HTTP method is not GET. The getCertificateTemplate method was updated to remove unused request body construction for the GET call. A test assertion was added to verify that GET requests do not include the Content-Type header. A changelog entry documents the fix addressing failures caused by network intermediaries rejecting GET requests with Content-Type headers.

Possibly related PRs

• Android app re-enroll on 401 #38690: Modified getCertificateTemplate and makeRequest to add 401 re-enroll wrapper logic, which this PR refines with conditional Content-Type header handling.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description links to issue #42624 and includes the template, but all checklist items are unchecked and lack substantive detail about testing, validation, or specific implementation approach.	Check off applicable checklist items (changes file added, automated tests updated) and provide details on testing and validation performed for this fix.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'Fixed certificate template fetch failing with misleading DNS errors' accurately and concisely summarizes the main change: fixing GET requests sending improper Content-Type headers.
Linked Issues check	✅ Passed	Code changes directly address all stated objectives: Content-Type header now conditionally set only for non-GET requests, GetCertificateTemplateRequest removed, and test assertion added to verify GET requests lack Content-Type.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #42624: conditional header setting in ApiClient, removal of dead code in getCertificateTemplate, test assertion for header validation, and changelog entry.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch victor/42624-android-get-content-type

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 66.67%. Comparing base (f55eb08) to head (cc5f58c).
⚠️ Report is 11 commits behind head on main.

Files with missing lines	Patch %	Lines
...d/app/src/main/java/com/fleetdm/agent/ApiClient.kt	75.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #42625   +/-   ##
=======================================
  Coverage   66.67%   66.67%           
=======================================
  Files        2533     2533           
  Lines      203216   203208    -8     
  Branches     9231     9228    -3     
=======================================
- Hits       135485   135482    -3     
+ Misses      55469    55465    -4     
+ Partials    12262    12261    -1     

Flag	Coverage Δ
android	46.75% <75.00%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.