diff --git a/argocd/countly-hosted/applicationsets/07-canary-cert-issuer.yaml b/argocd/countly-hosted/applicationsets/07-canary-cert-issuer.yaml
deleted file mode 100644
index ab474f3..0000000
--- a/argocd/countly-hosted/applicationsets/07-canary-cert-issuer.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-# Per-customer ApplicationSet that deploys the cert-manager ClusterIssuer used
-# by countly-web-ui canaries. cert-manager + nginx-ingress already exist on
-# the cluster (managed by countly-hosted operators); this only adds the
-# ClusterIssuer that canary Ingresses reference via the
-# `cert-manager.io/cluster-issuer: letsencrypt-prod-http01` annotation.
-#
-# Generator scope: only v2-new for now. To enable canaries on more customers,
-# change `customers/v2-new.yaml` → `customers/*.yaml` and gate by a new
-# customer-file field (e.g. `canaryWebUI: enabled`) in the path expression
-# below.
-#
-# Sync wave -20 ensures the ClusterIssuer exists before the canary-web-ui
-# ApplicationSet's child Applications start syncing (which would otherwise
-# create CertificateRequests that wait on a missing issuer).
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: canary-cert-issuer
-  namespace: argocd
-spec:
-  goTemplate: true
-  goTemplateOptions:
-    - missingkey=error
-  generators:
-    - git:
-        repoURL: https://github.com/Countly/countly-deployment.git
-        revision: main
-        files:
-          - path: customers/v2-new.yaml
-  template:
-    metadata:
-      name: "{{ .customer }}-canary-cert-issuer"
-      annotations:
-        argocd.argoproj.io/sync-wave: "-20"
-      labels:
-        app.kubernetes.io/part-of: countly
-        app.kubernetes.io/component: canary-cert-issuer
-    spec:
-      project: countly-customers
-      source:
-        repoURL: https://github.com/Countly/countly-deployment.git
-        targetRevision: main
-        path: argocd/bootstrap
-        directory:
-          recurse: false
-      destination:
-        server: "{{ .server }}"
-        # ClusterIssuer is cluster-scoped — namespace value is only used by
-        # ArgoCD's project allow-list gate. "countly" is in the project's
-        # destinations; "cert-manager" is not. Resource still lands at
-        # cluster scope.
-        namespace: countly
-      syncPolicy:
-        automated:
-          prune: false
-          selfHeal: true
-        syncOptions:
-          - CreateNamespace=false
-          - ApplyOutOfSyncOnly=true
diff --git a/charts/countly-web-ui-canary/templates/certificate.yaml b/charts/countly-web-ui-canary/templates/certificate.yaml
deleted file mode 100644
index b9c0ad8..0000000
--- a/charts/countly-web-ui-canary/templates/certificate.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-{{/*
-Explicit Certificate resource (rather than relying on cert-manager's ingress-shim
-auto-creation from the Ingress's cert-manager.io/cluster-issuer annotation).
-
-We need the cert-manager.io/issue-temporary-certificate annotation on the
-Certificate so cert-manager pre-populates the TLS Secret with a self-signed
-cert immediately. Without it, F5 NIC's `ssl_reject_handshake on` for hosts
-without a cert kills cert-manager's HTTP-01 self-check (it follows the
-hardcoded HTTP→HTTPS redirect and the TLS handshake fails with
-`tls: unrecognized name`).
-
-ingress-shim in cert-manager v1.17 doesn't propagate the
-issue-temporary-certificate annotation from Ingress to Certificate, so the
-chart owns the Certificate directly.
-*/}}
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ include "canary.fullname" . }}-tls
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "canary.labels" . | nindent 4 }}
-  annotations:
-    cert-manager.io/issue-temporary-certificate: "true"
-spec:
-  secretName: {{ include "canary.fullname" . }}-tls
-  duration: 2160h        # 90d
-  renewBefore: 720h      # 30d (renew when 1/3 lifetime remaining)
-  privateKey:
-    algorithm: ECDSA
-    size: 256
-    rotationPolicy: Always
-  dnsNames:
-    - {{ include "canary.hostname" . | quote }}
-  issuerRef:
-    name: {{ required "ingress.tls.clusterIssuer is required" .Values.ingress.tls.clusterIssuer | quote }}
-    kind: ClusterIssuer
diff --git a/charts/countly-web-ui-canary/templates/ingress.yaml b/charts/countly-web-ui-canary/templates/ingress.yaml
index 0b09d0e..5b5f22a 100644
--- a/charts/countly-web-ui-canary/templates/ingress.yaml
+++ b/charts/countly-web-ui-canary/templates/ingress.yaml
@@ -3,7 +3,6 @@
 {{- $apiPort := .Values.backend.ports.api | int -}}
 {{- $ingestorPort := .Values.backend.ports.ingestor | int -}}
 {{- $jobserverPort := .Values.backend.ports.jobserver | int -}}
-{{- $tlsSecret := printf "%s-tls" $fullname -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -12,17 +11,16 @@ metadata:
   labels:
     {{- include "canary.labels" . | nindent 4 }}
   annotations:
-    # No cert-manager annotations here — the Certificate is managed explicitly
-    # by templates/certificate.yaml so we can set issue-temporary-certificate.
-    # ingress-shim in cert-manager v1.17 doesn't propagate that annotation from
-    # Ingress to Certificate, so chart owns the Certificate directly.
+    # No TLS on canaries: F5 NIC's hardcoded HTTP→HTTPS redirect plus its
+    # mergeable-ingress requirement (master/minion annotations on both the
+    # canary Ingress and cert-manager's solver Ingress) make HTTP-01 unworkable
+    # without splitting the canary Ingress into master/minion or setting up
+    # DNS-01 with Cloud DNS IAM. Canaries are dev-only previews; serving
+    # http:// is acceptable here. Switch back to TLS once a wildcard cert
+    # for *.v2.count.ly is provisioned (DNS-01 wildcard or external cert).
     {{- include "canary.ingressAnnotations" . | nindent 4 }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
-  tls:
-    - hosts:
-        - {{ include "canary.hostname" . | quote }}
-      secretName: {{ $tlsSecret | quote }}
   rules:
     - host: {{ include "canary.hostname" . | quote }}
       http:
diff --git a/charts/countly-web-ui-canary/values.yaml b/charts/countly-web-ui-canary/values.yaml
index 4ab1f02..9e9ae8c 100644
--- a/charts/countly-web-ui-canary/values.yaml
+++ b/charts/countly-web-ui-canary/values.yaml
@@ -22,12 +22,11 @@ backend:
 
 ingress:
   className: nginx
-  tls:
-    # cert-manager auto-provisions a per-canary Let's Encrypt cert via HTTP-01.
-    # Each canary gets its own Secret named canary-ui-<slug>-tls (created by cert-manager
-    # on first sync; ~30s ACME delay). The ClusterIssuer must be installed once on v2-new
-    # (see countly-deployment/argocd/bootstrap/letsencrypt-clusterissuer.yaml).
-    clusterIssuer: letsencrypt-prod-http01
+  # No TLS for canaries (HTTP-only). Canaries are dev-only previews; F5 NIC
+  # mergeable-ingress requirements make per-canary HTTP-01 unworkable without
+  # significant chart restructuring. To re-enable TLS later, provision a
+  # wildcard cert for *.v2.count.ly (DNS-01 ClusterIssuer or external) and
+  # add a tls section back to templates/ingress.yaml referencing the shared Secret.
   annotations: {}
 
 resources: