topic Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate from server'. See splunkd.log for stderr output. in All Apps and Add-ons

External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate from server'. See splunkd.log for stderr output.

sebastiandelrea — Mon, 18 Mar 2019 14:37:30 GMT

I'm configure an OPSEC LEA object on Splunk and I see the following error:

How can I solve it? The IP addresses are from the CheckPoint manager.

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate from server'. See splunkd.log for stderr output.

junedec21 — Wed, 27 Mar 2019 08:49:24 GMT

I am seeing the same error. No solution yet ?

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate from server'. See splunkd.log for stderr output.

junedec21 — Wed, 27 Mar 2019 09:02:33 GMT

@sebastiandelreal Were you able to resolve it?

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate from server'. See splunkd.log for stderr output.

kpanchal_splunk — Wed, 18 Sep 2019 07:34:08 GMT

@sebastiandelreal This issue will occur when you will not be having the port 18210 open on your Checkpoint server.
Kindly verify if the port 18210 is reachable from your Splunk instance

To verify the port reachability, you can use the telnet command from your Splunk instance.

FYI - @junedec21

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate from server'. See splunkd.log for stderr output.

edavisj — Wed, 13 Nov 2019 13:31:36 GMT

I was having this same issue but believe I've found a fix to it. I'm assuming you're running on a Linux OS as from what I understand this app won't run on a Windows server due to the application dependencies.

Searching this error results in a lot of people suggesting to install the 32 bit glibc and pam libraries which I did but I still kept getting the error. This initial portion of the configuration is just establishing the communication and pulling a certificate from your management server and is done so through a python script located at:
/opt/splunk/bin/etc/apps/Splunk_TA_checkpoint-opseclea/bin/./pull-cert.sh

When I tried to manually run that script I received the following error:
[root@splunkserver bin]# ./pull-cert.sh
./opsec-tools/opsec_pull_cert: error while loading shared libraries: libnsl.so.1: cannot open shared object file: No such file or directory

I installed libnsl.i686 and afterwards was able to run the script. I then tried to run the application via the GUI and was able to successfully establish the connection/pull the cert.

I'm using CentOS so my fix was: sudo yum install glibc.i686 pam.i686 libnsl.i686 but obviously if you're on something like Ubuntu/Debian you'd do sudo apt install glibc.i686 pam.i686 libnsl.i686.

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate from server'. See splunkd.log for stderr output.

sylax — Fri, 06 Dec 2019 17:01:13 GMT

This resolved the issue.

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate fr

splunkreal — Wed, 24 Jun 2020 13:21:35 GMT

New connections fail with "REST API ERROR 400" or "Fatal error: glibc detected an invalid stdio handle" on Linux with a glibc version higher than 2.17-196

Workaround:
1. Download file at https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=50832

replace $SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools binaries with the updated versions.

3. After you update the two binaries, you must reset the one time password.

=> This worked for me.

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate fr

_smp_ — Wed, 02 Sep 2020 21:13:39 GMT

You are the MAN! Thank you!

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate fr

rafamss — Tue, 22 Sep 2020 21:48:06 GMT

I've had the same problem and I updated the add-on with this patch from Checkpoint. You could try this @junedec21 .

https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=50832

Re: External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request - Failed to fetch the certificate fr

boyanmilushev — Mon, 23 Aug 2021 11:45:05 GMT

I had the same issue and coudn't fix it by following the guidelines above and updating the binaries in:
$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/bin/opsec-tools

I fixed it this way:

1. I saw that the new SIC certificate was PULLED SUCCESSFULLY from the CheckPoint server regardless the error message "External handler failed with code '1' and output: 'REST ERROR[400]: Bad Request..."
The certificate was available in "$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/certs"

2. I manually editted the opseclea_connection.conf in "$SPLUNK_HOME/etc/apps/Splunk_TA_checkpoint-opseclea/local" and added the new certificate under the problematic connection stanza:

[connection_stanza_name]
cert_name = connection_1234567890.p12 <-- Put the name of the new certificate here
fw_version = R80
lea_app_name = Splunk_Server_LEA
lea_server_auth_port = 18184
lea_server_auth_type = sslca
lea_server_ip = 10.10.10.10
lea_server_type = primary
management_server_ip = 10.10.10.11
opsec_entity_sic_name = CN=***,O=***
opsec_sic_name = CN=Splunk_Server_LEA,O=***
disabled = 0

No need to restart splunkd! The connection started working right away. No error messages anymore.

I hope it helps colleagues who had the same issue.