<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42624
**Related issue:** Resolves#37546
- Fixed certificate template fetch failing with DNS errors (known
Android issue)
- stop polling certs that failed permanently
- CertificateOrchestrator: When server returns template status "failed",
mark the certificate as locally failed (markCertificateForceFailed) and
stop polling
- CertificateOrchestrator: Non-retryable SCEP failures (e.g.
ScepEnrollmentException) now immediately mark as failed and report to
server, skipping the 3-attempt retry logic
- CertificateOrchestrator: recordEnrollmentAttemptFailure now stores the
uuid, fixing a bug where the FAILED guard was bypassed because stored
uuid was empty
- CertificateOrchestrator: Renamed markCertificateFailure to
recordEnrollmentAttemptFailure and added markCertificateForceFailed for
clarity
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed certificate template retrieval failures that displayed
misleading DNS errors. Optimized HTTP request header handling for GET
requests to prevent these errors during certificate enrollment
operations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
