2 files changed, 27 insertions, 2 deletions

diff --git a/lib/chef/knife.rb b/lib/chef/knife.rb
index 18792da44a..aa30f2e2ed 100644
--- a/lib/chef/knife.rb
+++ b/lib/chef/knife.rb
@@ -486,8 +486,11 @@ class Chef
         ui.error "Failed to authenticate to #{server_url} as #{username} with key #{api_key}"
         ui.info "Response:  #{format_rest_error(response)}"
       when Net::HTTPForbidden
-        ui.error "You authenticated successfully to #{server_url} as #{username} but you are not authorized for this action.
-        This is possibly a connectivity issue. Please check your proxy settings if any."
+        ui.error "You authenticated successfully to #{server_url} as #{username} but you are not authorized for this action."
+        proxy_env_vars = ENV.to_hash.keys.map(&:downcase) & %w{http_proxy https_proxy ftp_proxy socks_proxy no_proxy}
+        unless proxy_env_vars.empty?
+          ui.error "There are proxy servers configured, your Chef server may need to be added to NO_PROXY."
+        end
         ui.info "Response:  #{format_rest_error(response)}"
       when Net::HTTPBadRequest
         ui.error "The data in your request was invalid"
diff --git a/spec/unit/knife_spec.rb b/spec/unit/knife_spec.rb
index 00c629b680..2b22dbc4f7 100644
--- a/spec/unit/knife_spec.rb
+++ b/spec/unit/knife_spec.rb
@@ -439,6 +439,28 @@ describe Chef::Knife do
       expect(stderr.string).to match(%r{Response:  y u no administrator})
     end
 
+    context "when proxy servers are set" do
+      before do
+        ENV["http_proxy"] = "xyz"
+      end
+
+      after do
+        ENV.delete("http_proxy")
+      end
+
+      it "formats proxy errors nicely" do
+        response = Net::HTTPForbidden.new("1.1", "403", "Forbidden")
+        response.instance_variable_set(:@read, true)
+        allow(response).to receive(:body).and_return(Chef::JSONCompat.to_json(:error => "y u no administrator"))
+        allow(knife).to receive(:run).and_raise(Net::HTTPServerException.new("403 Forbidden", response))
+        allow(knife).to receive(:username).and_return("sadpanda")
+        knife.run_with_pretty_exceptions
+        expect(stderr.string).to match(%r{ERROR: You authenticated successfully to http.+ as sadpanda but you are not authorized for this action})
+        expect(stderr.string).to match(%r{ERROR: There are proxy servers configured, your Chef server may need to be added to NO_PROXY.})
+        expect(stderr.string).to match(%r{Response:  y u no administrator})
+      end
+    end
+
     it "formats 400s nicely" do
       response = Net::HTTPBadRequest.new("1.1", "400", "Bad Request")
       response.instance_variable_set(:@read, true) # I hate you, net/http.