Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error while installing SOAR version 6.4.1

SOAR_098
Loves-to-Learn Lots
‎11-06-2025 02:13 PM

Running a clean install on Amazon Linux 2023. Followed the instructions on the install page for the soar-prepare-system command, not running clustered, default options for everything, created the phantom user with no trouble. /opt/splunk-soar is owned by phantom, ran the soar-install command as phantom, got through everything fine until the GitRepos step, hit this error:

"INSTALL: GitRepos

Configuring default playbook repos

Failed to bootstrap playbook repos
Install failed."

Detailed error logs look kind of ugly, but seeing this:

File \"/opt/splunk-soar/usr/python39/lib/python3.9/site-packages/git/cmd.py\", line 1388, in execute", " raise GitCommandError(redacted_command, status, stderr_value, stdout_value)", "git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)", " cmdline: git ls-remote --heads https://github.com/phantomcyber/playbooks", " stderr: 'fatal: unable to access 'https://github.com/phantomcyber/playbooks/': SSL certificate problem: self-signed certificate in certificate chain'"], "time_elapsed_since_start": 6.000021, "time_elapsed_since_operation_start": 4.386305}
Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-06-2025 11:24 PM

The typical reason for this if you're doing it in corporate environment is TLS inspection sollution. It does a MITM on the connection and uses its own CA to dynamically create a cert for your connection. This CA's cert is typically pushed to endpoints with GPO, Ansible or whatever your company is using.

0 Karma
Reply

SOAR_098
Loves-to-Learn Lots
‎11-07-2025 10:02 AM

What would be the additional certificates in that case if I can add to avoid the issue? And where usually we can add those before starting installation?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎11-06-2025 10:47 PM

Hi @SOAR_098 

Is your instance behind a proxy server? Could you try the following to show what certificate is returned:

openssl s_client -showcerts -connect github.com:443

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

SOAR_098
Loves-to-Learn Lots
‎11-07-2025 10:00 AM

I do see some certificates on executing these commands, do I need to add those somewhere before starting installation of SOAR?

0 Karma
Reply

thahir
Contributor
‎11-06-2025 10:13 PM

@SOAR_098  The error which you encountered is because of ssl cert , the ssl cert is not trusted by the server.

Import the necessary cert to the host, you can refer the below url for more reference.

https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.0/manage-spl... 

0 Karma
Reply

PrewinThomas
Motivator
‎11-06-2025 08:13 PM

@SOAR_098 

The error SSL certificate problem: self-signed certificate in certificate chain means the system’s CA trust store is incomplete. You need to fix certificate trust so the installer can clone the default playbook repo.

Run manually as the phantom user, you will be getting same error message.

git ls-remote https://github.com/phantomcyber/playbooks

Refer below,

#https://community.splunk.com/t5/Splunk-SOAR/quot-Failed-to-bootstrap-playbook-repos-quot-on-clean-in...


Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

SOAR_098
Loves-to-Learn Lots
‎11-07-2025 09:59 AM

Executing the below command, it does not give error

git ls-remote https://github.com/phantomcyber/playbooks

 

0 Karma
Reply

SOAR_098
Loves-to-Learn Lots
‎11-07-2025 09:56 AM

For this would need the certificate to add but this $SOAR_HOME/etc/cacerts.pem is created after SOAR is installed. So even if I add that missing certificate, during fresh reinstallation, how to add that certificate then?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...