grep: warning: stray \ before white space

[ArthurBorsboom]

Describe the bug

After upgrading the Arch Linux package "check_ssl_cert" from 2.36.0-1 -> 2.42.0-1 the plugin shows a warning in the monitoring system (Icinga2 monitor) which I haven't noticed before:

Plugin output:

grep: warning: stray \ before white space
grep: warning: stray \ before white space
grep: warning: stray \ before white space
grep: warning: stray \ before white space
SSL_CERT OK - www.xxxxxxxxxx.xx:443, https, x509 certificate 'xxxxxxxxxxxxxxx' (xxxxxxxxxxxxxx) from 'Let's Encrypt' valid until Oct 27 21:12:29 2022 GMT (expires in 46 days)

To Reproduce

The monitoring starts automatically on boot including all the plugins and check_ssl_cert show this now for all the SSL checks.

Expected behavior

No warnings

System (please complete the following information):

• OS: Arch Linux
• OS version: Rolling release
• check_ssl_cert version: 2.42.0
• OpenSSL version (openssl version): 1.1.1.q-1

Additional context/output

I'm uncertain if this is due to a misconfiguration, but to me it seems new and therefore a possible regression.

[matteocorti]

Thanks

Can you please add -d and post the debugging output?

[ArthurBorsboom]

Hi Matteo,

I have ran the following command.

/usr/lib/monitoring-plugins/check_ssl_cert -H subfake.fakedomain.com -d > check_ssl_cert_debug.txt 2>&1

I have replaced the (sub) domain name to hide the real domain name. The result is in the attachment including the warning.

check_ssl_cert_debug.txt

I have to mention that many OS packages have been upgraded, like the check SSL plugin and also grep. This might be part of the equation.

grep (3.7-1 -> 3.8-2)

Is this sufficient information to reproduce and fix the issue?

[ArthurBorsboom]

While looking at the log it seems that the warning is coming from OpenSSL, which was upgraded a longer time ago.

[2022-07-10T09:46:03+0200] [ALPM] upgraded openssl (1.1.1.p-1 -> 1.1.1.q-1)

Maybe the warning is caused by OpenSSL 1.1.1.q and grep 3.8.2 ?

[matteocorti]

Dear Arthur,

Many thanks for your report. Without the host name, I am unable to reproduce the problem. If you want me to investigate the issue, you need to provide the information to reproduce the issue, either by posting it or by providing it per email.

If it's a private host, I will need the result of the following command:

printf 'HEAD / HTTP/1.1\nHost: subfake.domainfake.com\nUser-Agent: check_ssl_cert/2.42.0\nConnection: close\n\n' | /usr/bin/openssl s_client    -crlf  -connect subfake.domainfake.com:443 -servername subfake.domainfake.com   -showcerts -verify 6 

[ArthurBorsboom]

I have send an attachment with the original host name by email.

[ArthurBorsboom]

A remote session by teamviewer is a possibility as well, since that might speed up things for you. If so, we'll handle that by email as well.

[matteocorti]

Thanks. I’ll try to reproduce the issue.

[matteocorti]

I was able to reproduce it (by installing Arch Linux). Not dependent on the host.

[matteocorti]

Problem caused by new versions of grep which complain about '\ '

[matteocorti]

04ec242 fixes the OK case, but the problem is still there in case of OpenSSL errors

[ArthurBorsboom]

Interesting. Anything I can help with? Does something need to go upstream? Or does it have to be fixed in this plugin?

[matteocorti]

Instead of \ I can use [ ] but I would like to understand why the warning is there....

[matteocorti]

Some examples:

corti@macbookpro check_ssl_cert> ggrep -V
ggrep (GNU grep) 3.8
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Mike Haertel and others; see
<https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
corti@macbookpro check_ssl_cert> ggrep ' ' check_ssl_cert > /dev/null 
corti@macbookpro check_ssl_cert> ggrep '\ ' check_ssl_cert > /dev/null 
ggrep: warning: stray \ before white space
corti@macbookpro check_ssl_cert> ggrep '[ ]' check_ssl_cert > /dev/null 

and

corti@macbookpro check_ssl_cert> grep -V
grep (BSD grep, GNU compatible) 2.6.0-FreeBSD
corti@macbookpro check_ssl_cert> grep '\ ' check_ssl_cert > /dev/null 

[matteocorti]

In the NEWS file for grep 3.8:

Regular expressions with stray backslashes now cause warnings, as their unspecified behavior can lead to unexpected results.

[ArthurBorsboom]

Pretty vague description 'unspecified' and 'unexpected'. On the other hand, they must have their reasons...

[matteocorti]

https://bugs.gnu.org/39678

[matteocorti]

Additional note, according to POSIX regex standard: "An ordinary character is a BRE that matches itself: any character in the supported character set, except for the BRE special characters listed in BRE Special Characters. The interpretation of an ordinary character preceded by an unescaped

( '\\' ) is undefined, except for: [...]" which means that escaping ordinary characters (like \a) has undefined behaviour, thus I think it should not be matched.

[matteocorti]

But is (more or less) fixed. I fear that a couple of other issues could arise. Let's hope that ShellCheck will implement systematic test.

[ArthurBorsboom]

Good to hear. I will wait until the next package upgrade lands in Arch Linux. If I see more similar warnings, then I reopen this ticket.

Thanks for your quick help.

[matteocorti]

As a side note: installing Arch Linux was fun: going back to my Linux times (I now use a Mac)

[ArthurBorsboom]

Hi Matteo,

Plugin v2.44 landed in Arch Linux and the grep warning has disappeared from the Icinga2 monitor user interface. Thanks for your help.

[matteocorti]

There are still some cases that issue a warning (e.g., with --require-dnssec). I'll submit a fix soon. See #406