diff --git a/serverutil/tls.go b/serverutil/tls.go
index 7e5adff9134af3efd35e26a08b36f26704064bc5..5d0d98456bb9e1c73e6149f352a81c135decaa81 100644
--- a/serverutil/tls.go
+++ b/serverutil/tls.go
@@ -2,6 +2,8 @@ package serverutil
 
 import (
 	"crypto/tls"
+	"fmt"
+	"log"
 	"net/http"
 	"regexp"
 
@@ -119,6 +121,13 @@ func (c *TLSServerConfig) TLSAuthWrapper(h http.Handler) (http.Handler, error) {
 			h.ServeHTTP(w, r)
 			return
 		}
-		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+
+		// Log the failed access, useful for debugging.
+		var tlsmsg string
+		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+			tlsmsg = fmt.Sprintf(" TLS client '%s' at", r.TLS.PeerCertificates[0].Subject.CommonName)
+		}
+		log.Printf("unauthorized access to %s from %s%s", r.URL.Path, tlsmsg, r.RemoteAddr)
+		http.Error(w, "Forbidden", http.StatusForbidden)
 	}), nil
 }