diff --git a/core/src/main/java/google/registry/flows/TlsCredentials.java b/core/src/main/java/google/registry/flows/TlsCredentials.java
index b9951a9b8..c772ecb0e 100644
--- a/core/src/main/java/google/registry/flows/TlsCredentials.java
+++ b/core/src/main/java/google/registry/flows/TlsCredentials.java
@@ -220,7 +220,8 @@ public class TlsCredentials implements TransportCredentials {
       super(
           clientInetAddr.isPresent()
               ? String.format(
-                  "Registrar IP address %s is not in stored allow list", clientInetAddr.get())
+                  "Registrar IP address %s is not in stored allow list",
+                  clientInetAddr.get().getHostAddress())
               : "Registrar IP address is not in stored allow list");
     }
   }
diff --git a/core/src/test/java/google/registry/flows/TlsCredentialsTest.java b/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
index 35bc770d2..745b13fdc 100644
--- a/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
+++ b/core/src/test/java/google/registry/flows/TlsCredentialsTest.java
@@ -14,6 +14,7 @@
 
 package google.registry.flows;
 
+import static com.google.common.truth.Truth.assertThat;
 import static com.google.common.truth.Truth8.assertThat;
 import static google.registry.testing.CertificateSamples.SAMPLE_CERT;
 import static google.registry.testing.DatabaseHelper.loadRegistrar;
@@ -81,16 +82,23 @@ final class TlsCredentialsTest {
   @Test
   void test_missingIpAddress_doesntAllowAccess() {
     TlsCredentials tls =
-        new TlsCredentials(false, Optional.of("certHash"), Optional.empty(), certificateChecker);
+        new TlsCredentials(
+            false, Optional.of("certHash"), Optional.of("127.0.0.1"), certificateChecker);
     persistResource(
         loadRegistrar("TheRegistrar")
             .asBuilder()
             .setClientCertificate(SAMPLE_CERT, clock.nowUtc())
             .setIpAddressAllowList(ImmutableSet.of(CidrAddressBlock.create("3.5.8.13")))
             .build());
-    assertThrows(
-        BadRegistrarIpAddressException.class,
-        () -> tls.validate(Registrar.loadByRegistrarId("TheRegistrar").get(), "password"));
+
+    BadRegistrarIpAddressException thrown =
+        assertThrows(
+            BadRegistrarIpAddressException.class,
+            () -> tls.validate(Registrar.loadByRegistrarId("TheRegistrar").get(), "password"));
+
+    assertThat(thrown)
+        .hasMessageThat()
+        .isEqualTo("Registrar IP address 127.0.0.1 is not in stored allow list");
   }
 
   @Test