diff --git a/charts/countly-web-ui-canary/templates/_helpers.tpl b/charts/countly-web-ui-canary/templates/_helpers.tpl
index 426f42c..b7eae73 100644
--- a/charts/countly-web-ui-canary/templates/_helpers.tpl
+++ b/charts/countly-web-ui-canary/templates/_helpers.tpl
@@ -52,6 +52,12 @@ nginx.org/proxy-buffering: "True"
 nginx.org/proxy-read-timeout: "120s"
 nginx.org/proxy-send-timeout: "120s"
 nginx.org/keepalive: "256"
+# Disable HTTP→HTTPS redirect: cert-manager's HTTP-01 self-check fails when
+# F5 NIC's default-on redirect short-circuits the ACME challenge GET to HTTPS
+# while the host has no cert yet (chicken-and-egg). With this off, the canary
+# is reachable on HTTP first; once the cert issues, browsers navigating
+# directly to https:// still get TLS.
+nginx.org/redirect-to-https: "false"
 {{- with .Values.ingress.annotations }}
 {{ toYaml . }}
 {{- end }}