diff --git a/ansible/group_vars/all/oas.yml b/ansible/group_vars/all/oas.yml
index 137a90157d9946ee6d0348109b4134e8b407c0a2..aa5423469c5510f3ddc06801af17e01b4566a54e 100644
--- a/ansible/group_vars/all/oas.yml
+++ b/ansible/group_vars/all/oas.yml
@@ -68,6 +68,12 @@ rke:
   # checksum: 'sha256:https://github.com/rancher/rke/releases/download/v0.2.4/sha256sum.txt'
   checksum: 'sha256:96b366fe1faaa668b3e47f5b6d4bfd6334224e33c21e55dc79ec96f85e0e48e8'
 
+cert_manager:
+  # cert-manager requires custom resource definitions applied before installing
+  # the helm chart. See https://hub.helm.sh/charts/jetstack/cert-manager for
+  # details
+  crd_version: '0.14.2'
+
 # If true, let the auto-update mechanism (flux) follow a cluster-local git
 # repo, not one hosted on open.greenhost.net.
 local_flux: false
diff --git a/ansible/roles/apps/tasks/cert-manager.yml b/ansible/roles/apps/tasks/cert-manager.yml
index 42534dc27bdfaa1ae9ebfcf792486cbf704ffe5b..967f125cc464169d7b2d46a820dd2d17f92b0743 100644
--- a/ansible/roles/apps/tasks/cert-manager.yml
+++ b/ansible/roles/apps/tasks/cert-manager.yml
@@ -16,3 +16,8 @@
         - config
         - flux
         - cert-manager
+
+- name: Install CRDs for cert-manager
+  tags:
+    - cert-manager
+  command: '/snap/bin/kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v{{ cert_manager.crd_version }}/cert-manager.crds.yaml'