Mosquitto_sub connection timeout when subscribing from remote laptop over TLS (port 8883)

Errors
1

I have set up a Mosquitto broker on Laptop A (10.2.30.23) listening on port 8883 with TLS enabled. The broker starts successfully and local publish/subscribe on Laptop A works fine.

Laptop A acts as:

  • MQTT Broker

  • MQTT Publisher

Laptop B (10.2.31.144) acts as:

  • MQTT Subscriber

Broker startup (Laptop A)

mosquitto -c ….\….\test.conf -v

Broker logs show:

Opening ipv4 listen socket on port 8883.
mosquitto running

Publisher (Laptop A – works locally)

mosquitto_pub -h 10.2.30.23 -p 8883 -t test -m “hello” --cafile ca.crt --tls-version tlsv1.2 -d

Publish succeeds and receives CONNACK.

Subscriber (Laptop B – fails)

mosquitto_sub -h 10.2.30.23 -p 8883 -t test --cafile ca.crt --tls-version tlsv1.2

Error observed on Laptop B:

Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Additional details

  • ca.crt was generated on Laptop A and copied to Laptop B (same CA used)

  • No require_certificate true is configured on the broker

  • Broker works locally but is unreachable from the remote machine

  • Laptop A and Laptop B are on different subnets (10.2.30.x and 10.2.31.x)

Question

Is this issue likely caused by:

  • Windows firewall blocking inbound port 8883 on Laptop A?

  • Broker listener binding only to localhost?

  • Network/VLAN restrictions between subnets?

  • Any additional TLS or Mosquitto configuration required for remote clients?

Any guidance on what to validate next would be helpful.

2

Hi Ranjith,

The problem should not come from the TLS layer. All other options you have mentioned can likely be the cause of the problem. In your config file, what are your listener settings there? In theory, it is possible to only allow localhost connections. Could you check that?

8883, 0.0.0.0:8883 or 10.2.30.23:8883 → good, broker is reachable on the LAN.

127.0.0.1:8883 → bad, broker is local-only

Other than that, check your firewall settings and, if those ports are theoretically reachable, ping them from outside.

Best

Tizian

3

Hey @Tizian , thanks for the reply.

This is my test.conf file from where my broker is running from laptop A.

listener 8883
allow_anonymous true

cafile C:\Users\RanjithBK\Downloads\mosquitto\certs\ca.crt
keyfile C:\Users\RanjithBK\Downloads\mosquitto\certs\server.key
certfile C:\Users\RanjithBK\Downloads\mosquitto\certs\server.crt
tls_version tlsv1.2

I hope this is fine !!?

4

Hello,

This does look fine. Have you checked whether your subscriber can reach the broker?
You can also check this in the broker logs and see if a connection comes through at the time of the sub.

5

Hey @Tizian, I will share you my logs from Subscriber from Laptop B and Broker + Publisher from Laptop A .

Broker in Laptop A,

Screenshot 2026-02-02 150443
Screenshot 2026-02-02 1504431357×326 14.2 KB

Publisher from Laptop A,

Screenshot 2026-02-02 150410
Screenshot 2026-02-02 1504101355×118 7.78 KB

Subscriber from Laptop B,

image (3)
image (3)1702×151 10.8 KB

And regarding the test.conf file which I sent you from Laptop A, should I also set the same file and certificate files in Laptop B as well ?

6

Hello,

If these are all the logs you are seeing, there is only one connection visible here to the broker. This means the other connection does not even reach it.
There is some network issue you will need to resolve to get the subscriber up and running.

This means no broker-level configuration should be the problem right now.

7

Hey @Tizian , so my configuration files and generation of certificates are all correct right ? What can be the network issue ? I have enabled the inbound and outbound rules for 8883 port for both the machines. And also tried with disabling the firewall on both the machines. Still no progress, I’m stuck as of now :smiling_face_with_tear:

8

Hi,

Your certificates seem to be fine as it works on one connection and also you are not setting the require_certificate true option.

Have you tried checking the ports in the console?
Local check:
E.g. netstat -an | findstr :8883

Check from Other device:
telnet <ip> 8883

As long as you are not spotting any logs referring to an incoming connection on the broker side from the external Laptop, you can be sure the broker is not blocking any connections. E.g., if the certificates were a problem, you would see TLS errors. You can also increase the log level to be sure to not miss any information with log_type all

I hope you find the error.

1 Like
9

Hi @Tizian , these are my results,

Below its my main laptop A where I am running Pub + Broker,

Screenshot 2026-02-03 151310

Below I am doing telnet on another Laptop B where I am running subscriber,

image (4)
image (4)1350×167 9.09 KB

First IP is of Laptop B and second is of Laptop A.

10

Hi,

This shows that the port is open, but you are not able to reach it from an external source.
Can you ping in general from Laptop A to B and other way around?
ping <ip>

You will need to figure out the reason for those two not being able to communicate, either completely or only on that port. Unfortunately, there is not much more I can tell you. Make sure they are in the same network, check for other firewalls, maybe on router level, etc.

1 Like
11

Hey @Tizian , thanks for your patience and replies.

Screenshot 2026-02-03 154650
Screenshot 2026-02-03 154650550×202 4.08 KB

image (5)
image (5)831×302 7.36 KB

So I am not able to connect between the devices. I did all the settings but still no progress. Thank you.

12

Hi,

You are welcome and yes that is the correct conclusion.
I am not sure why that is the case for you, but I hope you can sort it out!

1 Like