Why is xrdp not using my self-signed certificate?

Question

I created a self-signed TLS certificate to use for RDP sessions from guacamole to a Rocky Linux virtual machine.

While checking if the TLS certificate is in use on the target host I ran openssl s_client -connect localhost:3389 . to see if the key was being served and it isn't. The error:

00FEE9FA2F7F0000:error:0A00010B:SSL routines:tls_validate_record_header:wrong version number:ssl/record/methods/tlsany_meth.c:80:

Later in the output I see: no peer certificate available

and

No client certificate CA names sent

I should see the key print to screen, right?

xrdp 0.10.3 is installed.

openssl --version

OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)

/usr/sbin/xrdp -v

xrdp was compiled with OpenSSL 3.2.2 4 Jun 2024

xrdp.ini file:

[Globals]
; xrdp.ini file version number
ini_version=1
; fork a new process for each incoming connection
fork=true
port=3389
use_vsock=false
runtime_user=xrdp
runtime_group=xrdp
tcp_nodelay=true
tcp_keepalive=true
security_layer=tls
crypt_level=high
log_level=DEBUG
; X.509 certificate and private key
; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
certificate=/etc/xrdp/cert.pem
key_file=/etc/xrdp/key.pem
; set SSL protocols
; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
ssl_protocols=TLSv1.2, TLSv1.3
autorun=
allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
max_bpp=32
new_cursors=true
use_fastpath=both
grey=e1e1e1
dark_grey=b4b4b4
blue=0078d7
dark_blue=0078d7
ls_top_window_bg_color=003057
ls_width=350
ls_height=360
ls_bg_color=f0f0f0
ls_logo_filename=
ls_logo_transform=scale
ls_logo_width=250
ls_logo_height=110
ls_logo_x_pos=55
ls_logo_y_pos=35
ls_label_x_pos=30
ls_label_width=68
ls_input_x_pos=110
ls_input_width=210
ls_input_y_pos=158
ls_btn_ok_x_pos=142
ls_btn_ok_y_pos=308
ls_btn_ok_width=85
ls_btn_ok_height=30
ls_btn_cancel_x_pos=237
ls_btn_cancel_y_pos=308
ls_btn_cancel_width=85
ls_btn_cancel_height=30
[Logging]
; Note: Log levels can be any of: core, error, warning, info, debug, or trace
LogFile=xrdp.log
LogLevel=DEBUG
EnableSyslog=true
[LoggingPerLogger]
[Channels]
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
[Xorg]
name=Xorg
lib=libxup.so
ip=127.0.0.1
username=ask
password=ask
port=-1
code=20
; Frame capture interval (milliseconds)
h264_frame_interval=16
rfx_frame_interval=32
normal_frame_interval=40

The config file above is on the Rocky Linux target.