IBM MQ 2538 error negotiating an SSL connection

We have two connections (as a .NET/Windows client) to an IBM MQ endpoint (let's say non-Windows).

We use SSL, which is supported by a pair of certificates (client and server) and correctly labelled in the Windows Certificate Store to ensure we pick the right certificate.

Everything in Queue A works fine.

Queue B has recently stopped working. We now get a 2538 error. Nothing has changed.

• We keep both sides of both queues the same as we can.
• We have Wire-traced both Queue A and Queue B and can confirm SSL negotiation is incomplete on Queue B because of a "Connection Reset" by the Client
• All certificates are valid and in date
• We've tried with hard-trusted Self-signed certs between parties

It feels like there may be a communication error inhibiting successful SSL handshake.

The problem is exacerbated by the WebSphereMqClient NuGet package we use (8.0.0.7 - latest version) not giving us anything other than a 2538 error on calling:

_mqQueueManager = new MQQueueManager((string)queueManager, (Hashtable)connectionProperties);

Connection Properties being (redacted):

<IbmMqConnection server="ipaddress" 
                         portNumber="1234" 
                         channel="SOME.CHANNEL" 
                         queueManager="QUEUE_MANAGER">
    <SecureConnection enabled="True" 
                      cipherSuite="TLS_RSA_WITH_AES_256_CBC_SHA256" 
                      cipherSpec="TLS_RSA_WITH_AES_256_CBC_SHA256" 
                      peerName="CN=trusted-parties-cn"
                      certificateLabel="ibmwebspheremq"
                       />

Is there anything an expert could give us a clue on? Is there a way to get any diagnostics out of the NuGet black box?

Update 1:

The server is running 8.0.0.9.

Update 2:

@JoshMc suggested I turn on logging.

From this, I learn:

• It couldn't (rightly) find an mqclient.ini file in the binary folder or my personal folder.
• Errors start during SSL Authentication, specifically System.ComponentModel.Win32Exception (0x80004005): The credentials supplied to the package were not recognized
• Followed by the host seemingly disappearing: MQTCPConnection.ConnectSocket(string,string,MQLONG) rc=OK 00000174 10:29:28.917526 5748.1 CompCode: 2, Reason: 2538 AMQ9202: Remote host 'x.x.x.x(y)' not available, retry later.
• Out of which comes the 2538 CompCode: 2, Reason: 2538
• Negotiation seems to continue, using appropriate TLS version, etc.
• Then when trying to get the client (with our private key) certificate, we get System.ComponentModel.Win32Exception (0x80004005): The credentials supplied to the package were not recognized

I have double checked that the user does have permission to the Private Key.

Update 3

Issue found.

The issue was highlighted by the text System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.. On investigation it turns out that the permissions on the Private Key had been removed during a certificate renewal. I know the above says the permissions were confirmed to be there, but for a different certificate. I've left it in to retain history/honesty.

Issue was resolved by enabling the logging, as suggested by @JoshMc.

The log entry:

000001C9 11:16:51.194536   2072.1      System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at IBM.WMQ.Nmqi.MQEncryptedSocket.MakeSecuredConnection()
at IBM.WMQ.Nmqi.MQEncryptedSocket..ctor(NmqiEnvironment env, MQTCPConnection conn, Socket socket, MQChannelDefinition mqcd, MQSSLConfigOptions sslConfigOptions)
at IBM.WMQ.MQTCPConnection.ConnectSocket(String localAddr, String connectionName, Int32 options)

... led us straight to the issue, which was that the credentials used to access the private keys in the Windows Certificate Store were invalid. On investigation, they were not present.

Make sure that you include this step as part of your procedures for renewing SSL certificates.