Broken TLS in Postfix due to malformed fullchain.pem

[lucagasparini]

When uploading a custom wildcard certificate via the UI, if the private key file (*.key) is missing a trailing newline (\n), the resulting fullchain.pem file generated at /etc/ssl/postfix/fullchain.pem becomes malformed. This causes Postfix to fail TLS initialization.

Steps to reproduce

• Upload a custom wildcard certificate and private key using the web interface.
• Ensure the private key file does not end with a newline after -----END RSA PRIVATE KEY-----.
• The generated /etc/ssl/postfix/fullchain.pem will look like this (note the missing newline before the cert begins):

-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----

• Try to test SMTP with:

openssl s_client -showcerts -starttls smtp -connect <your-domain>:25 < /dev/null

• You will get:

error:04800066:PEM routines::bad end line:crypto/pem/pem_lib.c:881:

• Postfix log (/var/log/maillog):

postfix/smtpd[37645]: warning: TLS library problem: error:04800066:PEM routines::bad end line:crypto/pem/pem_lib.c:881:
postfix/smtpd[37645]: warning: error loading private keys and certificates from: /etc/ssl/postfix/fullchain.pem: disabling TLS support

Expected behavior

• The system should ensure a newline is present at the end of the .key file before concatenating it with the certificate, so that fullchain.pem is correctly formatted.

Actual behavior

• Postfix to fail TLS initialization

Suggested Fix:
Automatically add a newline after -----END RSA PRIVATE KEY----- if it is missing during certificate upload or before generating fullchain.pem.

Components

ns8-traefik

[stephdl]

QA

Target ghcr.io/nethserver/traefik:3.2.1-dev.1

once ns8-core installed, then upgrade traefik to the testing version

Verify the bug does not occur when the key and the certs files does not get a trailing line at the end of the file.