I confirm that --domains (or -d) accepts an IP address in addition to domain name.
I also needed the --disable-cn option so that the CSR that lego built did not include the IP address in the Common Name field. (*1)
This worked for me
lego --server=https://acme-staging-v02.api.letsencrypt.org/directory \
--email "your@email.tld" \
--accept-tos \
--http \
--domains 203.0.113.1 \
--disable-cn \
run --profile shortlived
(*1) The shortlived profile does not set the Common Name in the resulting cert. But, for some reason LE validates the CSR's common name and fails if it is an IP address. The --disable-cn option should be used to suppress the CN in the CSR. See: Certbot cert request fails for IP address in LE Staging - #5 by MikeMcQ