httpcaddyfile: wildcard get_certificate not applying to specific subdomains

[filiabel]

Fixes #7559

Assistance Disclosure

Claude Opus 4.6 generated all code with my guiding.
I verified the results using the same runtime method as in repro with a build of the PR.

---

Analysis and fix by Claude Opus 4.6

When a Caddyfile defines a wildcard site with get_certificate (e.g. *.example.com) alongside a specific subdomain site without explicit TLS config (e.g. foo.example.com), the subdomain fails TLS handshakes with "no certificate available."

Root cause: During config adaptation, consolidateAutomationPolicies creates an empty automation policy for foo.example.com (no issuers, no managers) and a separate policy for *.example.com with the get_certificate manager. Since policies are matched most-specific-first, foo.example.com hits the empty policy and never reaches the wildcard's get_certificate handler.

The existing consolidation logic only removed empty policies for internal/non-public names. This fix also removes empty policies whose subjects are entirely covered by a later wildcard policy that has get_certificate managers, allowing the subdomain to fall through to the wildcard policy.

[CLAassistant]

All committers have signed the CLA.

[mholt]

Thanks, but I believe this patch is too narrow... I submitted my own patch (manually crafted) at #7567 that I think is a better fix. Would you be able to try it?

[filiabel]

Closing in favor of #7567