diff --git a/ansible/roles/noble_cert_manager/defaults/main.yml b/ansible/roles/noble_cert_manager/defaults/main.yml
index 0d73278..2ac6532 100644
--- a/ansible/roles/noble_cert_manager/defaults/main.yml
+++ b/ansible/roles/noble_cert_manager/defaults/main.yml
@@ -1,3 +1,6 @@
 ---
 # Warn when **cloudflare-dns-api-token** is missing after apply (also set in **group_vars/all.yml** when loaded).
 noble_cert_manager_require_cloudflare_secret: true
+
+# Helm --wait default (~5m) can expire while startupapicheck waits on webhooks / API (busy or slow pulls).
+noble_helm_cert_manager_wait_timeout: 15m
diff --git a/ansible/roles/noble_cert_manager/tasks/main.yml b/ansible/roles/noble_cert_manager/tasks/main.yml
index e45a4c9..56f413d 100644
--- a/ansible/roles/noble_cert_manager/tasks/main.yml
+++ b/ansible/roles/noble_cert_manager/tasks/main.yml
@@ -26,6 +26,8 @@
       - "{{ noble_repo_root }}/clusters/noble/bootstrap/cert-manager/values.yaml"
       - --force-conflicts
       - --wait
+      - --timeout
+      - "{{ noble_helm_cert_manager_wait_timeout }}"
   environment:
     KUBECONFIG: "{{ noble_kubeconfig }}"
   changed_when: true