SSL/TLS Cert works in MQTT Explorer, but not Transmission Module

I’m testing setting up SSL/TLS for my Transmission module to my HiveMQ broker. I followed the steps here under the Generate a server side certificate for HiveMQ and Generate a PEM client certificate sections.

I tested this in MQTT Explorer by applying the client cert as the ‘Server Certificate (CA)’ certificate, enabling TLS, and changing the port to 8883. This connection works and I can verify from the broker that it is connected using TLS. I also tested connecting with openssl s_client with that same certificate, and it was also able to connect.

When I apply this same certificate to my Transmission module as the ‘CA Certificate File’ and change the URL to use ssl://[my hostname]:8883, my server shows 0 of 1 connected (where it was 1 of 1 connected previously using TCP). The only log message that Ignition shows is Error: ‘Failed to achieve connected state’. The HiveMQ logs repeatedly gives a log message of ‘Client ID: UNKNOWN, IP: [my ip address] disconnected ungracefully from TCP Listener with TLS on port: 8883’ until I change the Transmission client back to using TCP.

Obviously these log messages aren’t very helpful in debugging, and I’m struggling to figure out what could be the issue. Why can I connect to my broker over TLS using other tools, but not with my Transmission client? What could be different about the Transmission client that is causing this?

Does your alias match the hostname you are specifying in the URL of the Transmission configuration? If not, you must uncheck the ‘verify hostname’ option of the TLS configuration. If that doesn’t help, do the Transmission logs show why it isn’t connecting?

Yes I’ve confirmed the alias matches the hostname I’m trying to connect to. I still tried unchecking the verify hostname but no luck.
The transmission logs don’t tell me much, the only error I get is:

[My Group ID/My Edge Node ID][My ClientID] Failed to achieve connected state

Could this be a networking issue of some sort? Idk what it would be since I know I can connect to the hive server with other tools, and it doesn’t look like there are any sort of outbound restrictions on the ignition server

Can you open a support ticket by sending your full Ignition logs to support@cirrus-link.com and reference this post?

I don’t think it is basic networking since Hive MQ seems to see the connection and then sees it go away. I also think it isn’t likely ACLs as HiveMQ doesn’t appear to be the cause of the disconnect.