diff --git a/end-to-end-tests/src/bin/cli_wrapper.rs b/end-to-end-tests/src/bin/cli_wrapper.rs
index 0e792367a11..2b5e9f65f23 100644
--- a/end-to-end-tests/src/bin/cli_wrapper.rs
+++ b/end-to-end-tests/src/bin/cli_wrapper.rs
@@ -1,5 +1,5 @@
 use anyhow::{Context, Result};
-use end_to_end_tests::helpers::ctx::ClientParams;
+use end_to_end_tests::helpers::ctx::{ClientParams, E2E_TLS_CERT_ENV};
 use std::os::unix::process::CommandExt;
 use std::process::Command;
 
@@ -10,12 +10,14 @@ async fn main() -> Result<Unreachable> {
     let mut args = std::env::args_os();
     let cli_path =
         args.next().context("usage: cli_wrapper OXIDE_CLI ARGS...")?;
-
     let client_params = ClientParams::new()?;
-    Err(Command::new(cli_path)
-        .args(args)
-        .env("OXIDE_HOST", client_params.base_url())
-        .env("OXIDE_TOKEN", client_params.get_session_token().await?)
-        .exec()
-        .into())
+    let mut cmd = Command::new(cli_path);
+    cmd.env("OXIDE_HOST", client_params.base_url());
+    cmd.env("OXIDE_TOKEN", client_params.get_session_token().await?);
+    cmd.arg("--resolve").arg(client_params.cli_resolve_arg().await?);
+    if let Some(cert_path) = std::env::var_os(E2E_TLS_CERT_ENV) {
+        cmd.arg("--cacert").arg(cert_path);
+    }
+    cmd.args(args);
+    Err(cmd.exec().into())
 }
diff --git a/end-to-end-tests/src/helpers/ctx.rs b/end-to-end-tests/src/helpers/ctx.rs
index 8a0586a82ea..f192bf46454 100644
--- a/end-to-end-tests/src/helpers/ctx.rs
+++ b/end-to-end-tests/src/helpers/ctx.rs
@@ -6,6 +6,7 @@ use omicron_test_utils::dev::poll::{wait_for_condition, CondCheckError};
 use oxide_client::types::{Name, ProjectCreate};
 use oxide_client::CustomDnsResolver;
 use oxide_client::{Client, ClientImagesExt, ClientProjectsExt, ClientVpcsExt};
+use reqwest::dns::Resolve;
 use reqwest::header::{HeaderMap, HeaderValue};
 use reqwest::Url;
 use std::net::IpAddr;
@@ -21,7 +22,7 @@ const RSS_CONFIG_STR: &str = include_str!(concat!(
 ));
 
 // Environment variable containing the path to a cert that we should trust.
-const E2E_TLS_CERT_ENV: &str = "E2E_TLS_CERT";
+pub const E2E_TLS_CERT_ENV: &str = "E2E_TLS_CERT";
 
 #[derive(Clone)]
 pub struct Context {
@@ -184,6 +185,22 @@ impl ClientParams {
         format!("{}://{}", self.proto, self.nexus_dns_name)
     }
 
+    pub async fn cli_resolve_arg(&self) -> Result<String> {
+        let address = self
+            .resolver
+            .resolve(self.nexus_dns_name.parse()?)
+            .await
+            .map_err(anyhow::Error::msg)?
+            .next()
+            .context("name did not resolve to any address")?;
+        let port = match self.proto {
+            "http" => "80",
+            "https" => "443",
+            _ => unreachable!(),
+        };
+        Ok(format!("{}:{}:{}", self.nexus_dns_name, port, address))
+    }
+
     pub fn reqwest_builder(&self) -> reqwest::ClientBuilder {
         let mut builder =
             reqwest::ClientBuilder::new().dns_resolver(self.resolver.clone());