diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml
index bc3c2b0b87..5c01f06479 100644
--- a/deployment/etcd/etcd-container-puppet.yaml
+++ b/deployment/etcd/etcd-container-puppet.yaml
@@ -314,6 +314,12 @@ outputs:
                                 template: "{{cloud_names.cloud_name_NETWORK}}"
                                 params:
                                   NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
+                          # etcd3 expects to use IP addresses, so add a SAN IP to its cert
+                          ip:
+                            str_replace:
+                              template: "{{NETWORK_ip}}"
+                              params:
+                                NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
                           principal:
                             str_replace:
                               template: "etcd/{{fqdn_$NETWORK}}@{{idm_realm}}"