I think you're encountering the problem reported here: https://issues.jenkins-ci.org/browse/JENKINS-20941
From the symptoms I'm seeing, the credentials you put into Jenkins are used for checking out the top level repo, but they're not used when trying to get the submodule updates.
There are two angles for a workaround:
- Put the key file(s) onto all your build slaves
- Update your job configurations to update explicitly
Or you can just wait for the maintainers to fix it, or fix it yourself :-)
Hope this helps