All HTTPS certificates are issued by some entity. These certificates are often signed by a Certificate Authority or CA. That signature’s authenticity is verified against the CA’s certificate which could also be signed by another CA. This can continue in a chain until you either reach the end of the chain or reach certificate signed by a CA that the system implicitly trusts (also known as a “root CA”).

For example, you can see the list of root CAs recognized by your system on macOS by using the Keychain Access app under the System Roots keychain:

Screen Shot 2019-01-25 at 10.45.18 AM.png2534×1876 1.08 MB

Different systems can have different lists of trusted root CAs. This is why your browser and our webhook system can have different results when attempting to create an HTTPS connection to the same system.

On the other hand, we haven’t had any reports of Let’s Encrypt certificates not being honored by our webhook system. You may want to ensure that your system is serving the entire certificate chain when establishing HTTPS connections.

If you continue to run into problems, you may want to write into private support at https://github.com/contact so they can take a deeper look at your configuration.

I hope that helps!

Were you able to determine if this was this issue?

I still haven’t been able to determine what is the issue.

https://whatsmychaincert.com/ indicates my server is misconfigured and provides a chain it should be using. The suggested chain only contains Let’s Encrypt Authority X3 , whereas the fullchain.pem served by Jenkins contains both my own domain cert and the Let’s Encrypt Authority X3 cert. When using the suggested chain neither my browser nor GitHub successfully connect over HTTPS.

If this persists I will write into private support.

Ah, interesting, I’m having the exact same issue! We’re using fullchain.pem and if we use the suggested chain neither the browser nor GitHub successfully connect over HTTPS. Not sure how to proceed at this point.

If you do make progress through private support, please update here if possible.

This solution works great. Thank you!

Note that Jenkins won’t start when generating the keys.pkcs12 and keystore files using two different passwords. Using the same password for both files solves this problem.

Someone posted a solution to this problem, which worked for me. You may want to give it a try.

Thanks for your help :slight_smile:

Thanks to give solustion but how when using jenkins in kubernetes any clue running customer jenkins with option --httpsKeyStore and --httpsKeyStorePassword