diff --git a/controller/docker-compose.yml b/controller/docker-compose.yml
index c363d05..7b0879e 100644
--- a/controller/docker-compose.yml
+++ b/controller/docker-compose.yml
@@ -54,11 +54,12 @@ services:
       - "traefik.http.services.controller.loadbalancer.server.port=8080"
       - "traefik.docker.network=traefik-public"
       # Catch-all: branded error page for stopped/undeployed app subdomains
+      # Priority 1 = lowest, so running app routers always win.
+      # No certresolver — uses Traefik's default cert store (previously issued certs).
       - "traefik.http.routers.catchall.rule=HostRegexp(`.+`)"
       - "traefik.http.routers.catchall.priority=1"
       - "traefik.http.routers.catchall.entrypoints=websecure"
       - "traefik.http.routers.catchall.tls=true"
-      - "traefik.http.routers.catchall.tls.certresolver=letsencrypt"
       - "traefik.http.routers.catchall.service=controller"
       # Health check labels for monitoring
       - "felhom.managed=true"
diff --git a/controller/internal/web/server.go b/controller/internal/web/server.go
index a8380fe..688161f 100644
--- a/controller/internal/web/server.go
+++ b/controller/internal/web/server.go
@@ -295,7 +295,9 @@ func (s *Server) CatchAllMiddleware(next http.Handler) http.Handler {
 		if idx := strings.LastIndex(host, ":"); idx != -1 {
 			host = host[:idx]
 		}
-		if strings.EqualFold(host, controllerHost) || host == "" {
+		// Pass through: controller host, localhost (healthcheck/internal), or empty
+		if strings.EqualFold(host, controllerHost) || host == "" ||
+			host == "localhost" || host == "127.0.0.1" {
 			next.ServeHTTP(w, r)
 			return
 		}