diff --git a/serverutil/tls.go b/serverutil/tls.go
index fbf39f7ee0eae65009d60179a5449255487fc03e..21c002b8baaae892f04f481b84a23e1aa7a34067 100644
--- a/serverutil/tls.go
+++ b/serverutil/tls.go
@@ -163,7 +163,7 @@ func (c *TLSServerConfig) TLSAuthWrapper(h http.Handler) (http.Handler, error) {
 		// Log the failed access, useful for debugging.
 		var tlsmsg string
 		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
-			tlsmsg = fmt.Sprintf(" TLS client '%s' at", r.TLS.PeerCertificates[0].Subject.CommonName)
+			tlsmsg = fmt.Sprintf("TLS client '%s' at", r.TLS.PeerCertificates[0].Subject.CommonName)
 		}
 		log.Printf("unauthorized access to %s from %s%s", r.URL.Path, tlsmsg, r.RemoteAddr)
 		http.Error(w, "Forbidden", http.StatusForbidden)