Issue connecting to Github repo with Github App credentials

I’m having issues with connecting to our Github repositories using Github App credentials. I have a second test server that works fine using the same credentials and repo URL. The big difference is the problem server is running HTTPS. The error I get is:

An internal error occurred during form field validation (HTTP 500). Please reload the page and if the problem persists, ask the administrator for help.

Please help.

AJ

Jenkins: 2.504.2
OS: Linux - 5.15.0-153-generic
Java: 17.0.16 - Ubuntu (OpenJDK 64-Bit Server VM)

active-directory:2.40
ant:518.v8d8dc7945eca_
antisamy-markup-formatter:173.v680e3a_b_69ff3
apache-httpcomponents-client-4-api:4.5.14-269.vfa_2321039a_83
asm-api:9.8-163.vb_2a_96d3f9c3c
authentication-tokens:1.144.v5ff4a_5ec5c33
badge:2.10
bootstrap5-api:5.3.8-876.vb_c62a_27d9a_77
bouncycastle-api:2.30.1.81-264.v95c79c0e772c
branch-api:2.1244.vf95c81f1641c
build-failure-analyzer:2.5.5
build-timeout:1.38
build-with-parameters:76.v9382db_f78962
caffeine-api:3.2.2-178.v353b_8428ed56
checks-api:373.vfe7645102093
cloudbees-folder:6.1040.v8a_e6330a_54e3
command-launcher:123.v37cfdc92ef67
commons-lang3-api:3.18.0-98.v3a_674c06072d
commons-text-api:1.14.0-194.v804a_dc3a_1b_d8
conditional-buildstep:1.5.0
copyartifact:770.va_6c69e063442
credentials:1447.v4cb_b_539b_5321
credentials-binding:702.vfe613e537e88
cygpath:1.5
dark-theme:524.vd675b_22b_30cb_
disk-usage:1.3
display-url-api:2.217.va_6b_de84cc74b_
docker-commons:457.v0f62a_94f11a_3
docker-workflow:621.va_73f881d9232
durable-task:595.ve87b_f1318d67
echarts-api:6.0.0-1146.v5c8f3b_8f0573
eddsa-api:0.3.0.1-19.vc432d923e5ee
editable-choice:71.v02a291ebbe45
email-ext:1925.v1598902b_58dd
emoji-symbols-api:17.0-57.v8d44b_9a_b_d5ea_
envinject:2.926.v69c9b_3896a_96
envinject-api:1.235.va_14c74f8f487
extensible-choice-parameter:239.v5f5c278708cf
external-monitor-job:223.vb_fddcf42c9b_3
fail-the-build-plugin:5.v153b_2c826ef0
favorite:2.253.v9b_413168133b_
file-parameters:385.v1cf03fdff8ce
font-awesome-api:7.0.1-859.v128d3a_efb_6e5
git:5.7.0
git-client:6.4.0
git-parameter:444.vca_b_84d3703c2
git-tag-message:1.7.1
github:1.45.0
github-api:1.330-492.v3941a_032db_2a_
github-branch-source:1862.v1a_fc22a_d3788
gradle:2.16.1149.v711b_998b_0532
groovy-postbuild:272.v52a_03efb_8653
gson-api:2.13.2-173.va_a_092315913c
hidden-parameter:494.v9d2513a_9994d
htmlpublisher:427
instance-identity:203.v15e81a_1b_7a_38
ionicons-api:94.vcc3065403257
jackson2-api:2.20.0-411.v6ef8fdee4fe9
jakarta-activation-api:2.1.3-2
jakarta-mail-api:2.1.3-3
javadoc:354.vee1a_660b_4990
javax-activation-api:1.2.0-8
javax-mail-api:1.6.2-11
jaxb:2.3.9-133.vb_ec76a_73f706
jdk-tool:83.v417146707a_3d
jfrog:1.5.10
jjwt-api:0.11.5-120.v0268cf544b_89
job-import-plugin:122.v35289550f1e6
jobConfigHistory:1356.ve360da_6c523a_
joda-time-api:2.14.0-149.v1c3ce991d1b_9
jquery3-api:3.7.1-594.vb_3864f326cf0
jsch:0.2.16-95.v3eecb_55fa_b_78
json-api:20250517-173.v596efb_962a_31
json-path-api:2.9.0-190.veefca_05d5477
jsoup:1.21.2-66.v6ea_38164b_8a_2
junit:1355.v45e2ea_65863c
last-changes:456.vc484b_627e803
ldap:780.vcb_33c9a_e4332
leastload:62.vfa_8830902733
log-parser:2.5.0
mail-watcher-plugin:1.20
mailer:522.va_995fa_cfb_8b_d
mapdb-api:1.0.9-44.va_1e1310c9118
mask-passwords:204.v24d863065180
matrix-auth:3.2.8
matrix-project:858.vb_b_eb_9a_7ea_99e
maven-plugin:3.27
metrics:4.2.33-484.v2fcd689980d1
mina-sshd-api-common:2.16.0-167.va_269f38cc024
mina-sshd-api-core:2.16.0-167.va_269f38cc024
next-build-number:66.v4b_4762172d53
nodelabelparameter:759.vb_b_e95db_f3251
okhttp-api:4.11.0-189.v976fa_d3379d6
oss-symbols-api:392.v27a_482d90083
pam-auth:1.12
parameterized-trigger:873.v8b_e37dd8418f
pipeline-build-step:571.v08a_fffd4b_0ce
pipeline-github-lib:65.v203688e7727e
pipeline-graph-analysis:245.v88f03631a_b_21
pipeline-graph-view:628.va_6f6a_1d12848
pipeline-groovy-lib:752.vdddedf804e72
pipeline-input-step:534.v352f0a_e98918
pipeline-milestone-step:138.v78ca_76831a_43
pipeline-model-api:2.2265.v140e610fe9d5
pipeline-model-definition:2.2265.v140e610fe9d5
pipeline-model-extensions:2.2265.v140e610fe9d5
pipeline-rest-api:2.38
pipeline-stage-step:322.vecffa_99f371c
pipeline-stage-tags-metadata:2.2265.v140e610fe9d5
pipeline-stage-view:2.38
plain-credentials:199.v9f8e1f741799
plugin-util-api:6.1167.v022176c7e0ca_
powershell:2.3
rebuild:338.va_0a_b_50e29397
resource-disposer:0.25
run-condition:243.v3c3f94e46a_8b_
scm-api:707.v749f968369d4
script-security:1378.vf25626395f49
show-build-parameters:1.0
agent-utilization-plugin:1.8
snakeyaml-api:2.3-125.v4d77857a_b_402
ssh-credentials:361.vb_f6760818e8c
ssh-slaves:3.1071.v0d059c7b_c555
sshd:3.374.v19b_d59ce6610
structs:353.v261ea_40a_80fb_
subversion:1292.ve8cf25770ee3
theme-manager:319.v9193461f9671
throttle-concurrents:2.18
timestamper:1.30
token-macro:477.vd4f0dc3cb_cf1
trilead-api:2.209.v0e69b_c43c245
variant:70.va_d9f17f859e0
veracode-scan:25.6.25.0
versionnumber:234.v315d3b_3cb_fb_5
windows-cloud:1.0.1
workflow-aggregator:608.v67378e9d3db_1
workflow-api:1384.vdc05a_48f535f
workflow-basic-steps:1079.vce64b_a_929c5a_
workflow-cps:4183.v94b_6fd39da_c1
workflow-durable-task-step:1458.va_2e10a_a_b_7c4d
workflow-job:1546.v62a_c59c112dd
workflow-multibranch:811.vcd33d074c2a_0
workflow-scm-step:437.v05a_f66b_e5ef8
workflow-step-api:706.v518c5dcb_24c0
workflow-support:976.vb_d9493c2eb_09
ws-cleanup:0.49

Jenkins setup:

Welcome back, @mcseforsale.

The error may happen because Jenkins cannot validate GitHub App credentials when running over HTTPS, but it works over HTTP, which almost always means an SSL/TLS trust issue.

Below are some steps that may help fix it:

Step-by-step Troubleshooting

1. Verify Jenkins URL configuration

• Go to: Manage Jenkins (the little on the top right) → System
• Make sure the Jenkins URL is set to the correct https://... address.
• Incorrect URLs may break OAuth callbacks from GitHub.

2. Update Java CA certificates

If the Java runtime used by Jenkins doesn’t trust your HTTPS certificate:

sudo apt-get update
sudo apt-get install ca-certificates
sudo update-ca-certificates

• Then restart Jenkins to reload the trust store.

3. Add self-signed certificate (if applicable)

If using a self-signed or private CA certificate, you must import it manually:

sudo keytool -import \
  -alias mycert \
  -keystore /etc/ssl/certs/java/cacerts \
  -file /path/to/cert.crt

Default keystore password is changeit.

Then restart Jenkins again.

4. Check proxy/firewall settings

• If your server uses a proxy:
  • Go to Manage Jenkins → System
  • Set the correct proxy host/port and credentials if needed.

5. Verify system clock

• Make sure your server’s clock is correct (timedatectl status)
• SSL validation fails if the system time is significantly off.

6. Enable debug logging

If the problem persists, enable detailed logs:

• Go to Manage Jenkins → System Log → Add recorder
• Add a logger for
  org.jenkinsci.plugins.github_branch_source
• Set it to FINE or ALL

This should show the exact SSL or credential error in the logs.

7. Plugin compatibility

• Update the following plugins to their latest versions:
  • GitHub Branch Source
  • GitHub API for Jenkins
• Make sure they are compatible with your current Jenkins version.

Most common root cause

Missing or outdated CA certificates in the Java trust store.
Fixing this (steps 2–3) should resolve most HTTPS validation issues with GitHub Apps.

One-liner Trust Check

openssl s_client -connect your-jenkins-domain:443 -showcerts </dev/null 2>/dev/null | \
openssl x509 -noout -fingerprint -sha256

Then:

keytool -list -keystore "$JAVA_HOME/lib/security/cacerts" \
  -storepass changeit | grep -i "<some part of the cert CN or fingerprint>"

What this does

1. The first command:

• Connects to your HTTPS Jenkins endpoint
• Prints the certificate fingerprint

2. The second command:

• Lists all certificates trusted by Java
• Lets you verify if that fingerprint (or CN) is already trusted

If it’s missing, then your Java runtime doesn’t trust the server’s certificate, which may cause the GitHub Branch Source plugin’s credential validation to fail.