diff --git a/charts/countly-web-ui-canary/templates/_helpers.tpl b/charts/countly-web-ui-canary/templates/_helpers.tpl
index b7eae73..426f42c 100644
--- a/charts/countly-web-ui-canary/templates/_helpers.tpl
+++ b/charts/countly-web-ui-canary/templates/_helpers.tpl
@@ -52,12 +52,6 @@ nginx.org/proxy-buffering: "True"
 nginx.org/proxy-read-timeout: "120s"
 nginx.org/proxy-send-timeout: "120s"
 nginx.org/keepalive: "256"
-# Disable HTTP→HTTPS redirect: cert-manager's HTTP-01 self-check fails when
-# F5 NIC's default-on redirect short-circuits the ACME challenge GET to HTTPS
-# while the host has no cert yet (chicken-and-egg). With this off, the canary
-# is reachable on HTTP first; once the cert issues, browsers navigating
-# directly to https:// still get TLS.
-nginx.org/redirect-to-https: "false"
 {{- with .Values.ingress.annotations }}
 {{ toYaml . }}
 {{- end }}
diff --git a/charts/countly-web-ui-canary/templates/ingress.yaml b/charts/countly-web-ui-canary/templates/ingress.yaml
index fa85976..ebb25f1 100644
--- a/charts/countly-web-ui-canary/templates/ingress.yaml
+++ b/charts/countly-web-ui-canary/templates/ingress.yaml
@@ -13,6 +13,14 @@ metadata:
     {{- include "canary.labels" . | nindent 4 }}
   annotations:
     cert-manager.io/cluster-issuer: {{ required "ingress.tls.clusterIssuer is required" .Values.ingress.tls.clusterIssuer | quote }}
+    # Issue a self-signed temporary cert immediately so the TLS handshake works
+    # while the real Let's Encrypt cert is being issued. Without this, F5 NIC
+    # has `ssl_reject_handshake on` for hosts without a cert, which makes
+    # cert-manager's HTTP-01 self-check fail with `tls: unrecognized name` after
+    # F5 NIC's hardcoded HTTP→HTTPS redirect (the `nginx.org/redirect-to-https`
+    # annotation only controls a different XFP-based redirect, not this in-scheme one).
+    # cert-manager swaps the temp cert for the real one once ACME completes.
+    cert-manager.io/issue-temporary-certificate: "true"
     {{- include "canary.ingressAnnotations" . | nindent 4 }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}