Fix duplicate ACME entries for subdomains covered by wildcard ACME host

The previous fix (92fa1cb) only collapsed subdomains when an explicit
managed/imported certificate had a wildcard. When all hosts use Caddy
Auto (no certificate assigned), the wildcard ACME host was not checked
against sibling subdomain hosts, so each showed as a separate entry.

Also adds a startup migration to rename the stored IONOS DNS credential
key from api_token to auth_api_token for users who configured IONOS
before ef62ef2.

Closes #110

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/(dashboard)/certificates/page.tsx

@@ -180,6 +180,28 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
     }
   }
 
+  // Among ACME auto-managed hosts, collapse subdomain hosts under wildcard hosts.
+  // e.g. if *.domain.de is an ACME host, sub.domain.de should not appear separately.
+  const wildcardAcmeHosts = filteredAcmeHosts.filter(h => h.domains.some(d => d.startsWith('*.')));
+  const wildcardDomainSets = wildcardAcmeHosts.map(h => h.domains);
+  const deduplicatedAcmeHosts: AcmeHost[] = [];
+  for (const host of filteredAcmeHosts) {
+    // Never collapse a host that itself has a wildcard domain
+    if (host.domains.some(d => d.startsWith('*.'))) {
+      deduplicatedAcmeHosts.push(host);
+      continue;
+    }
+    // Check if all of this host's domains are covered by any wildcard ACME host
+    const coveredByWildcard = wildcardDomainSets.some(wcDomains =>
+      host.domains.every(d => isDomainCoveredByCert(d, wcDomains))
+    );
+    if (coveredByWildcard) {
+      adjustedAcmeTotal--;
+    } else {
+      deduplicatedAcmeHosts.push(host);
+    }
+  }
+
   const importedCerts: ImportedCertView[] = [];
   const managedCerts: ManagedCertView[] = [];
   const issuedByCa = issuedClientCerts.reduce<Map<number, IssuedClientCertificate[]>>((map, cert) => {
@@ -214,7 +236,7 @@ export default async function CertificatesPage({ searchParams }: PageProps) {
 
   return (
     <CertificatesClient
-      acmeHosts={filteredAcmeHosts}
+      acmeHosts={deduplicatedAcmeHosts}
       importedCerts={importedCerts}
       managedCerts={managedCerts}
       caCertificates={caCertificateViews}

src/lib/db.ts

@@ -301,10 +301,48 @@ function runCloudflareToProviderMigration() {
   db.insert(settingsTable).values({ key: "dns_provider_migrated", value: "true", updatedAt: now }).run();
 }
 
+/**
+ * One-time migration: rename IONOS DNS credential key from the old
+ * `api_token` to the correct `auth_api_token` expected by the libdns module.
+ * Idempotent — skips if the key has already been renamed or never existed.
+ */
+function runIonosFieldNameMigration() {
+  if (sqlitePath === ":memory:") return;
+
+  const { settings: settingsTable } = schema;
+
+  const flag = db.select().from(settingsTable).where(eq(settingsTable.key, "ionos_field_migrated")).get();
+  if (flag) return;
+
+  const row = db.select().from(settingsTable).where(eq(settingsTable.key, "dns_provider")).get();
+  if (row) {
+    try {
+      const parsed = JSON.parse(row.value) as { providers?: Record<string, Record<string, string>>; default?: string };
+      const ionos = parsed.providers?.ionos;
+      if (ionos && "api_token" in ionos && !("auth_api_token" in ionos)) {
+        ionos.auth_api_token = ionos.api_token;
+        delete ionos.api_token;
+        const now = new Date().toISOString();
+        db.update(settingsTable)
+          .set({ value: JSON.stringify(parsed), updatedAt: now })
+          .where(eq(settingsTable.key, "dns_provider"))
+          .run();
+        console.log("Migrated IONOS DNS provider field: api_token -> auth_api_token");
+      }
+    } catch (e) {
+      console.warn("Failed to migrate IONOS field name:", e);
+    }
+  }
+
+  const now = new Date().toISOString();
+  db.insert(settingsTable).values({ key: "ionos_field_migrated", value: "true", updatedAt: now }).run();
+}
+
 try {
   runBetterAuthDataMigration();
   runEnvProviderSync();
   runCloudflareToProviderMigration();
+  runIonosFieldNameMigration();
 } catch (error) {
   console.warn("Better Auth data migration warning:", error);
 }

tests/e2e/certificates.spec.ts

@@ -69,4 +69,51 @@ test.describe('Certificates', () => {
       await page.request.delete(`${API}/certificates/${cert.id}`, { headers });
     }
   });
+
+  test('ACME wildcard host hides subdomain ACME hosts in certificates page', async ({ page }) => {
+    const BASE_URL = 'http://localhost:3000';
+    const API = `${BASE_URL}/api/v1`;
+    const headers = { 'Content-Type': 'application/json', 'Origin': BASE_URL };
+    const domain = `acme-wc-${Date.now()}.example`;
+
+    // 1. Create a proxy host with wildcard domain (no certificate → ACME auto)
+    const wcHostRes = await page.request.post(`${API}/proxy-hosts`, {
+      data: {
+        name: `Wildcard ${domain}`,
+        domains: [`*.${domain}`],
+        upstreams: ['127.0.0.1:8080'],
+      },
+      headers,
+    });
+    expect(wcHostRes.status()).toBe(201);
+    const wcHost = await wcHostRes.json();
+
+    // 2. Create a proxy host for a subdomain (also no certificate → ACME auto)
+    const subHostRes = await page.request.post(`${API}/proxy-hosts`, {
+      data: {
+        name: `Sub ${domain}`,
+        domains: [`sub.${domain}`],
+        upstreams: ['127.0.0.1:8080'],
+      },
+      headers,
+    });
+    expect(subHostRes.status()).toBe(201);
+    const subHost = await subHostRes.json();
+
+    try {
+      // 3. Visit certificates page — subdomain should be collapsed under the wildcard
+      await page.goto('/certificates');
+      await expect(page.getByRole('tab', { name: /acme/i })).toBeVisible();
+      await page.getByRole('tab', { name: /acme/i }).click();
+
+      const acmeTab = page.locator('[role="tabpanel"]');
+      // The wildcard host should be visible
+      await expect(acmeTab.getByText(`*.${domain}`)).toBeVisible({ timeout: 5_000 });
+      // The subdomain host should NOT appear as a separate entry
+      await expect(acmeTab.getByText(`sub.${domain}`)).not.toBeVisible({ timeout: 5_000 });
+    } finally {
+      await page.request.delete(`${API}/proxy-hosts/${subHost.id}`, { headers });
+      await page.request.delete(`${API}/proxy-hosts/${wcHost.id}`, { headers });
+    }
+  });
 });