For OTA distribution you have to use valid distribution provisioning profile. Distribution provisioning profile requires distribution certificate.
Quoting Apple's documentation:
Before an app can be distributed, your team must have a valid distribution certificate linked to a distribution provisioning profile. Only team admins can create or install a distribution certificate. Each team can have only one active distribution certificate. The team admin can either use Xcode to create a distribution certificate or manually request and download one from iOS Provisioning Portal.
The certificate requires a private key that was used to generate certificate. There are two possibilities how to get the private key at the build server:
To prevent user “interaction is not allowed” errors you have to manually run build from command line (using osx terminal and not ssh) and confirm keychain access by clicking “always allow” when popup is shown whenever new provisioning profile is added.
You can also disable this check for your distribution certificate key in keychain access settings:
Jenkins iOS job setup