diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index c1e3b1457..22bc22816 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -702,6 +702,7 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls
 	emptyAP := new(caddytls.AutomationPolicy)
 	for i := 0; i < len(aps); i++ {
 		emptyAP.SubjectsRaw = aps[i].SubjectsRaw
+		emptyAP.ManagersRaw = nil
 		if reflect.DeepEqual(aps[i], emptyAP) {
 			// AP is empty
 			emptyAPCount++
@@ -711,6 +712,10 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls
 			emptyAP.SubjectsRaw = nil
 			if shadowIdx >= 0 {
 				emptyAP.SubjectsRaw = aps[shadowIdx].SubjectsRaw
+				// allow the later policy, which is likely for a wildcard, to have cert
+				// managers ("get_certificate"), since wildcards now cover specific
+				// subdomains by default, when configured (see discussion in #7559)
+				emptyAP.ManagersRaw = aps[shadowIdx].ManagersRaw
 			}
 
 			// if this is the last AP, we can delete it, since auto-https should
diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_12.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_automation_policies_12.caddyfiletest
index 2a1faa805..b79d29746 100644
--- a/caddytest/integration/caddyfile_adapt/tls_automation_policies_12.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_12.caddyfiletest
@@ -6,6 +6,7 @@
 	respond "wildcard"
 }
 
+# certificate for this subdomain is covered by wildcard above
 subdomain.test.local {
 	respond "subdomain"
 }
@@ -77,11 +78,6 @@ subdomain.test.local {
 		"tls": {
 			"automation": {
 				"policies": [
-					{
-						"subjects": [
-							"subdomain.test.local"
-						]
-					},
 					{
 						"subjects": [
 							"*.test.local"