diff --git a/server/private/lib/certificates.ts b/server/private/lib/certificates.ts
index 2f74a0f1..4efc397e 100644
--- a/server/private/lib/certificates.ts
+++ b/server/private/lib/certificates.ts
@@ -17,6 +17,7 @@ import { and, eq, isNotNull, or, inArray, sql } from "drizzle-orm";
 import { decryptData } from "@server/lib/encryption";
 import * as fs from "fs";
 import NodeCache from "node-cache";
+import logger from "@server/logger";
 
 const encryptionKeyPath =
     config.getRawPrivateConfig().server.encryption_key_path;
@@ -69,7 +70,8 @@ export async function getValidCertificatesForDomains(
 
     // 2. If all domains were resolved from the cache, return early
     if (domainsToQuery.size === 0) {
-        return decryptFinalResults(finalResults);
+        const decryptedResults = decryptFinalResults(finalResults);
+        return decryptedResults;
     }
 
     // 3. Prepare domains for the database query
@@ -126,23 +128,30 @@ export async function getValidCertificatesForDomains(
     for (const domain of domainsToQuery) {
         let foundCert: (typeof potentialCerts)[0] | undefined = undefined;
 
-        // Priority 1: Check for an exact match
+        // Priority 1: Check for an exact match (non-wildcard)
         if (exactMatches.has(domain)) {
             foundCert = exactMatches.get(domain);
         }
-        // Priority 2: Check for a wildcard match on the parent domain
+        // Priority 2: Check for a wildcard certificate that matches the exact domain
         else {
-            const parts = domain.split(".");
-            if (parts.length > 1) {
-                const parentDomain = parts.slice(1).join(".");
-                if (wildcardMatches.has(parentDomain)) {
-                    foundCert = wildcardMatches.get(parentDomain);
+            if (wildcardMatches.has(domain)) {
+                foundCert = wildcardMatches.get(domain);
+            }
+            // Priority 3: Check for a wildcard match on the parent domain
+            else {
+                const parts = domain.split(".");
+                if (parts.length > 1) {
+                    const parentDomain = parts.slice(1).join(".");
+                    if (wildcardMatches.has(parentDomain)) {
+                        foundCert = wildcardMatches.get(parentDomain);
+                    }
                 }
             }
         }
 
         // If a certificate was found, format it, add to results, and cache it
         if (foundCert) {
+            logger.debug(`Creating result cert for ${domain} using cert from ${foundCert.domain}`);
             const resultCert: CertificateResult = {
                 id: foundCert.certId,
                 domain: foundCert.domain, // The actual domain of the cert record
@@ -163,7 +172,9 @@ export async function getValidCertificatesForDomains(
         }
     }
 
-    return decryptFinalResults(finalResults);
+
+    const decryptedResults = decryptFinalResults(finalResults);
+    return decryptedResults;
 }
 
 function decryptFinalResults(
diff --git a/server/private/lib/traefik/getTraefikConfig.ts b/server/private/lib/traefik/getTraefikConfig.ts
index bac11f7d..85a0589d 100644
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -224,6 +224,7 @@ export async function getTraefikConfig(
         }
         // get the valid certs for these domains
         validCerts = await getValidCertificatesForDomains(domains, true); // we are caching here because this is called often
+        logger.debug(`Valid certs for domains: ${JSON.stringify(validCerts)}`);
     }
 
     const config_output: any = {