3 files changed, 124 insertions, 13 deletions

diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index c4af8e4..2510a9b 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -510,7 +510,10 @@ outer:
 			// if they're exactly equal in every way, just keep one of them
 			if reflect.DeepEqual(aps[i], aps[j]) {
 				aps = append(aps[:j], aps[j+1:]...)
-				break
+				// must re-evaluate current i against next j; can't skip it!
+				// even if i decrements to -1, will be incremented to 0 immediately
+				i--
+				continue outer
 			}
 
 			// if the policy is the same, we can keep just one, but we have
diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.txt
index 502dbd0..d8f2164 100644
--- a/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.txt
+++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_4.txt
@@ -135,18 +135,6 @@ abc.de {
 								"module": "zerossl"
 							}
 						]
-					},
-					{
-						"issuers": [
-							{
-								"email": "my.email@example.com",
-								"module": "acme"
-							},
-							{
-								"email": "my.email@example.com",
-								"module": "zerossl"
-							}
-						]
 					}
 				]
 			}
diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_6.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies_6.txt
new file mode 100644
index 0000000..b3ad7ff
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_6.txt
@@ -0,0 +1,120 @@
+# (this Caddyfile is contrived, but based on issue #4161)
+
+example.com {
+	tls {
+		ca https://foobar
+	}
+}
+
+example.com:8443 {
+	tls {
+		ca https://foobar
+	}
+}
+
+example.com:8444 {
+	tls {
+		ca https://foobar
+	}
+}
+
+example.com:8445 {
+	tls {
+		ca https://foobar
+	}
+}
+
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				},
+				"srv1": {
+					"listen": [
+						":8443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				},
+				"srv2": {
+					"listen": [
+						":8444"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				},
+				"srv3": {
+					"listen": [
+						":8445"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"example.com"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"example.com"
+						],
+						"issuers": [
+							{
+								"ca": "https://foobar",
+								"module": "acme"
+							}
+						]
+					}
+				]
+			}
+		}
+	}
+}
\ No newline at end of file