ThinLinc Web Access SSL/TLS certificate

Hi there all,

Just a quick question onto the possible replacement of the self signed certificate which resides in /opt/thinlink/etc//tlwebaccess.

The certificate i’d want to host is an internal one, signed by an internal CA. The certificate comes with the root CA embedded. I’ve tried to strip off everything but the certificate itself and it’s private key although whenever I’m using that combination, web access refuse to display/fails. The service though seems to be running happily.

Do I need anything else? do I need to store and trust the root CA on the local host?
Is there anything I can read (logs) when this happens?

For the record, if i’m shifting back to self signed cert combo, it all works fine however self signed…

Let me know,
Kind regards,


What error do you see when you try to connect? The browser should give you pointers to why it refuses to connect.

The root CA should be installed and trusted on your client machine that is accessing webaccess.

The server log for webaccess is /var/log/tlwebaccess.log

Kind regards,

Dear Martin,

Yes sure the root CA is trusted by the endpoints.
Here is what made this works =)

[duderino@m tlwebaccess]$ pwd
[duderino@m tlwebaccess]$ sudo chmod 400 cert_wildcard.crt
[duderino@m tlwebaccess]$ sudo chmod 400 cert_wildcard.key

And the clues came indeed from:

[duderino@m tlwebaccess]$ sudo tail -f /var/log/tlwebaccess.log
2023-06-19 08:13:01 DEBUG tlwebaccess[29034]: [::ffff:x.x.x.x] TLS connection detected
2023-06-19 08:13:01 DEBUG tlwebaccess[29034]: [::ffff:x.x.x.x] tlstunnel started as pid 29035
2023-06-19 08:13:01 ERROR tlwebaccess[29035]: [::ffff:x.x.x.x] File is read and writeable by others than file owner.

To get the DEBUG output you need to edit this line in this file:

[duderino@m conf.d]$ pwd
[duderino@m conf.d]$ sudo nano webaccess.hconf