diff --git a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
index bf4c10fdbd1..5f2a67778ca 100755
--- a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
+++ b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
@@ -33,7 +33,16 @@ if [ "$cert_ip" == "_use_gce_external_ip_" ]; then
 fi
 
 if [ "$cert_ip" == "_use_aws_external_ip_" ]; then
-  cert_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
+  # If there's no public IP assigned (e.g. this host is running on an internal subnet in a VPC), then
+  # curl will happily spit out the contents of AWS's 404 page and an exit code of zero.
+  #
+  # The string containing the 404 page trips up one of easyrsa's calls to openssl later; whichever
+  # one creates the CA certificate, because the 404 page is > 64 characters.
+  if cert_ip=$(curl -f -s http://169.254.169.254/latest/meta-data/public-ipv4); then
+    :
+  else
+    cert_ip=$(curl -f -s http://169.254.169.254/latest/meta-data/local-ipv4)
+  fi
 fi
 
 sans="IP:${cert_ip}"