diff --git a/client/src/__locales/en.json b/client/src/__locales/en.json
index b986dea1..7ec9c779 100644
--- a/client/src/__locales/en.json
+++ b/client/src/__locales/en.json
@@ -393,6 +393,7 @@
     "encryption_issuer": "Issuer",
     "encryption_hostnames": "Hostnames",
     "encryption_reset": "Are you sure you want to reset encryption settings?",
+    "encryption_warning": "Warning",
     "topline_expiring_certificate": "Your SSL certificate is about to expire. Update <0>Encryption settings</0>.",
     "topline_expired_certificate": "Your SSL certificate is expired. Update <0>Encryption settings</0>.",
     "form_error_port_range": "Enter port number in the range of 80-65535",
diff --git a/client/src/components/Settings/Encryption/Form.js b/client/src/components/Settings/Encryption/Form.js
index b94dd94b..9df440aa 100644
--- a/client/src/components/Settings/Encryption/Form.js
+++ b/client/src/components/Settings/Encryption/Form.js
@@ -56,6 +56,26 @@ const clearFields = (change, setTlsConfig, t) => {
     }
 };
 
+const validationMessage = (warningValidation, isWarning) => {
+    if (!warningValidation) {
+        return null;
+    }
+
+    if (isWarning) {
+        return (
+            <div className="col-12">
+                <p><Trans>encryption_warning</Trans>: {warningValidation}</p>
+            </div>
+        );
+    }
+
+    return (
+        <div className="col-12">
+            <p className="text-danger">{warningValidation}</p>
+        </div>
+    );
+};
+
 let Form = (props) => {
     const {
         t,
@@ -95,6 +115,8 @@ let Form = (props) => {
         || !valid_cert
         || !valid_pair;
 
+    const isWarning = valid_key && valid_cert && valid_pair;
+
     return (
         <form onSubmit={handleSubmit}>
             <div className="row">
@@ -382,11 +404,7 @@ let Form = (props) => {
                         )}
                     </div>
                 </div>
-                {warning_validation && (
-                    <div className="col-12">
-                        <p className="text-danger">{warning_validation}</p>
-                    </div>
-                )}
+                {validationMessage(warning_validation, isWarning)}
             </div>
 
             <div className="btn-list mt-2">
diff --git a/internal/home/tls.go b/internal/home/tls.go
index 7fdd64d8..c9086629 100644
--- a/internal/home/tls.go
+++ b/internal/home/tls.go
@@ -513,6 +513,11 @@ func validateCertChain(certs []*x509.Certificate, srvName string) (err error) {
 	return nil
 }
 
+// errNoIPInCert is the error that is returned from [parseCertChain] if the leaf
+// certificate doesn't contain IPs.
+const errNoIPInCert errors.Error = `certificates has no IP addresses; ` +
+	`DNS-over-TLS won't be advertised via DDR`
+
 // parseCertChain parses the certificate chain from raw data, and returns it.
 // If ok is true, the returned error, if any, is not critical.
 func parseCertChain(chain []byte) (parsedCerts []*x509.Certificate, ok bool, err error) {
@@ -535,8 +540,7 @@ func parseCertChain(chain []byte) (parsedCerts []*x509.Certificate, ok bool, err
 	log.Info("tls: number of certs: %d", len(parsedCerts))
 
 	if !aghtls.CertificateHasIP(parsedCerts[0]) {
-		err = errors.Error(`certificate has no IP addresses` +
-			`, this may cause issues with DNS-over-TLS clients`)
+		err = errNoIPInCert
 	}
 
 	return parsedCerts, true, err