diff --git a/.gitignore b/.gitignore
index 51d82c770..dbbdfa7af 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 .*.yaml
 .*.json
 .*.rego
+*.jq
 pem
 env
 coverage.txt
diff --git a/config/envoyconfig/listeners.go b/config/envoyconfig/listeners.go
index 954802a88..f234829f8 100644
--- a/config/envoyconfig/listeners.go
+++ b/config/envoyconfig/listeners.go
@@ -114,9 +114,7 @@ func getAllCertificates(cfg *config.Config) ([]tls.Certificate, error) {
 		return nil, fmt.Errorf("error getting wildcard certificate: %w", err)
 	}
 
-	// wildcard certificate must be first so that it is used as the default certificate
-	// when no SNI matches
-	return append([]tls.Certificate{*wc}, allCertificates...), nil
+	return append(allCertificates, *wc), nil
 }
 
 func (b *Builder) buildTLSSocket(ctx context.Context, cfg *config.Config, certs []tls.Certificate) (*envoy_config_core_v3.TransportSocket, error) {