"A TLS error occurred" on multiple systems

I am new to HiveMQ but a current user of an in house MQTT broker. I am using mosquitto_pub/sub to test initial connection to the cloud broker before updating our code.
I am a TLS beginner but I’m familiar with MQTT/Mosquitto.

I have tried connection on 4 systems: Windows(Win10 - mosquitto v2.0.14), Ubuntu(18.04 - mosq 2.0.10), Ubuntu(20.04 - mosq 2.0.14), Pi(10(Buster) - mosq 1.5.7)

I’m running:
mosquitto_pub -h xxxxxxxxxxxxxxxxxx.s1.eu.hivemq.cloud -p 8883 -u xxxxxx -P xxxxxx -t ‘my/test/topic’ -m ‘Hello2’
mosquitto_sub -h xxxxxxxxxxxxxxxxxx.s1.eu.hivemq.cloud -p 8883 -u xxxxxx -P xxxxxx -t my/test/topic

The Ubuntu 20.04 works perfectly ‘out-the-box’ as describe in the getting started guides, without defining the tls cafile on the command line. This shows that the host/port/usr/pwd are all good.

On Windows and the Ubuntu 18.04 systems I consistently get “Error: A TLS error occurred”. This happens whether or not I include the “–cafile trustid-x3-root.pem” ( I know it has found the ca file because if a mistype it I get a file not found error instead)

On the Pi mos_sub seems to works (IE it gives no errors) but mos_pub gives me “Error: The connection was lost.” without the --cafile switch, and “Error: Problem setting TLS options.” with it.

I not sure what to try next. Any suggestions would be welcome.


Hi Hermansam,

and welcome our HiveMQ community! So, to summarise the issue, the mosquitto- _pub and _sub had TLS issues when connecting to the HiveMQ Cloud broker. What about the MQTT CLI client – did it work fine on all above listed OS?

Dasha from HiveMQ Team

I’ve only tried it on Windows and it did work. I haven’t tried it on the Linux boxes.
Mosquitto are the tools we know and would prefer to keep

Hi hermansam,

thank you for clarification. Trying out the MQTT CLI could help narrow down, if the problem lies within the system TLS or the mosquitto library.

Generally the HiveMQ cloud broker is working. TLS errors on different systems suggests that the used certificate is not trusted on those systems.

Try to create the PEM file directly for your endpoint as described in our cloud FAQ: Frequently Asked Questions and please let us know if that worked for you.

Dasha from HiveMQ Team

Thanks, Dasha,

With MQTT-Cli on Windows I have successful connection with the --cafile server.pem argument. Without it I get “Server closed connection without DISCONNECT.” This is OK because our product requires a client certificate.

mqtt pub -u -pw -p 8883 -h 123456789.s1.eu.hivemq.cloud -t ‘my/test/topic’ -m ‘hello’ --cafile server.pem
mqtt sub -u -pw -p 8883 -h 123456789.s1.eu.hivemq.cloud -t ‘my/test/topic’ --cafile server.pem

The exact same commands on Linux, without --cafile, give: “Error: A TLS error occurred.”
If I add --cafile I get “PUBLISH: CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.”


Hi Rob,

Thank you for providing further information about the issue.

Message: “CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.” usually indicates an issue with either username or password – are you sure you are using correct credentials?

What output do you get, if instead of --cafile you put in --secure flag, could you please check that?

Thank you,
Dasha from HiveMQ Team

This cannot be the usr/pwd. I’m using exactly the same credentials, in fact a copy/paste of the actual command line, in Windows.

The --secure option gives me: “PUBLISH: Server closed connection without DISCONNECT.”

Hey Rob,

Could you please also confirm which java -version you are using (on Pi, Ubuntu 18, 20 and Windows)?

Dasha from HiveMQ Team

java version “17.0.2” 2022-01-18 LTS
Java™ SE Runtime Environment (build 17.0.2+8-LTS-86)
Java HotSpot™ 64-Bit Server VM (build 17.0.2+8-LTS-86, mixed mode, sharing)

Linux (Ub16.04):
openjdk version “1.8.0_212”
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b03-0ubuntu1.16.04.1-b03)
OpenJDK 64-Bit Server VM (build 25.212-b03, mixed mode)

Linux (Ub20.04): This system works!
openjdk version “11.0.11” 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing)

I think my next step is to upgrade the 16.04 Linux server. This is our main system test server and an upgrade is planned for later in the spring. I think I’ll have to pause on Hive for now and pick it up after the upgrade.