1 files changed, 43 insertions, 10 deletions

diff --git a/spec/unit/knife/ssl_fetch_spec.rb b/spec/unit/knife/ssl_fetch_spec.rb
index 24101dbe7a..cd0e423459 100644
--- a/spec/unit/knife/ssl_fetch_spec.rb
+++ b/spec/unit/knife/ssl_fetch_spec.rb
@@ -130,22 +130,55 @@ E
 
     before do
       Chef::Config.trusted_certs_dir = trusted_certs_dir
-
-      expect(TCPSocket).to receive(:new).with("foo.example.com", 8443).and_return(tcp_socket)
-      expect(OpenSSL::SSL::SSLSocket).to receive(:new).with(tcp_socket, ssl_fetch.noverify_peer_ssl_context).and_return(ssl_socket)
-      expect(ssl_socket).to receive(:connect)
-      expect(ssl_socket).to receive(:peer_cert_chain).and_return([self_signed_crt])
     end
 
     after do
       FileUtils.rm_rf(trusted_certs_dir)
     end
 
-    it "fetches the cert chain and writes the certs to the trusted_certs_dir" do
-      run
-      stored_cert_path = File.join(trusted_certs_dir, "example_local.crt")
-      expect(File).to exist(stored_cert_path)
-      expect(File.read(stored_cert_path)).to eq(File.read(self_signed_crt_path))
+    context "when the TLS connection is successful" do
+
+      before do
+        expect(TCPSocket).to receive(:new).with("foo.example.com", 8443).and_return(tcp_socket)
+        expect(OpenSSL::SSL::SSLSocket).to receive(:new).with(tcp_socket, ssl_fetch.noverify_peer_ssl_context).and_return(ssl_socket)
+        expect(ssl_socket).to receive(:connect)
+        expect(ssl_socket).to receive(:peer_cert_chain).and_return([self_signed_crt])
+      end
+
+      it "fetches the cert chain and writes the certs to the trusted_certs_dir" do
+        run
+        stored_cert_path = File.join(trusted_certs_dir, "example_local.crt")
+        expect(File).to exist(stored_cert_path)
+        expect(File.read(stored_cert_path)).to eq(File.read(self_signed_crt_path))
+      end
+
+    end
+
+    context "when connecting to a non-SSL service (like HTTP)" do
+
+      let(:name_args) { %w{http://foo.example.com} }
+
+      let(:unknown_protocol_error) { OpenSSL::SSL::SSLError.new("SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol") }
+
+      before do
+        expect(TCPSocket).to receive(:new).with("foo.example.com", 80).and_return(tcp_socket)
+        expect(OpenSSL::SSL::SSLSocket).to receive(:new).with(tcp_socket, ssl_fetch.noverify_peer_ssl_context).and_return(ssl_socket)
+        expect(ssl_socket).to receive(:connect).and_raise(unknown_protocol_error)
+
+        expect(ssl_fetch).to receive(:exit).with(1)
+      end
+
+      it "tells the user their URL is for a non-ssl service" do
+        expected_error_text = <<-ERROR_TEXT
+ERROR: The service at the given URI (http://foo.example.com) does not accept SSL connections
+ERROR: Perhaps you meant to connect to 'https://foo.example.com'?
+ERROR_TEXT
+
+        run
+        expect(stderr).to include(expected_error_text)
+      end
+
     end
+
   end
 end