diff --git a/backend/internal/api/routes/routes_test.go b/backend/internal/api/routes/routes_test.go
index fb32b7c6..9f8f8dfc 100644
--- a/backend/internal/api/routes/routes_test.go
+++ b/backend/internal/api/routes/routes_test.go
@@ -1322,3 +1322,29 @@ func TestMigrateViewerToPassthrough(t *testing.T) {
 	require.NoError(t, db.First(&updated, viewer.ID).Error)
 	assert.Equal(t, models.RolePassthrough, updated.Role)
 }
+
+func TestRegister_CleansLetsEncryptCertAssignments(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+
+	db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared&_test_lecleaner"), &gorm.Config{})
+	require.NoError(t, err)
+
+	// Pre-migrate just the two tables needed to seed test data before Register runs.
+	require.NoError(t, db.AutoMigrate(&models.SSLCertificate{}, &models.ProxyHost{}))
+
+	cert := models.SSLCertificate{Provider: "letsencrypt"}
+	require.NoError(t, db.Create(&cert).Error)
+
+	certID := cert.ID
+	host := models.ProxyHost{DomainNames: "test.example.com", CertificateID: &certID}
+	require.NoError(t, db.Create(&host).Error)
+
+	cfg := config.Config{JWTSecret: "test-secret"}
+	err = Register(router, db, cfg)
+	require.NoError(t, err)
+
+	var reloaded models.ProxyHost
+	require.NoError(t, db.First(&reloaded, host.ID).Error)
+	assert.Nil(t, reloaded.CertificateID, "letsencrypt cert assignment must be cleared")
+}
diff --git a/backend/internal/models/seed_test.go b/backend/internal/models/seed_test.go
index 77e19199..d722612a 100644
--- a/backend/internal/models/seed_test.go
+++ b/backend/internal/models/seed_test.go
@@ -59,6 +59,18 @@ func TestSeedDefaultSecurityConfig_Idempotent(t *testing.T) {
 	assert.Equal(t, int64(1), count, "exactly one row should exist after two seed calls")
 }
 
+func TestSeedDefaultSecurityConfig_DBError(t *testing.T) {
+	db := newSeedTestDB(t)
+
+	sqlDB, err := db.DB()
+	require.NoError(t, err)
+	require.NoError(t, sqlDB.Close())
+
+	rec, err := models.SeedDefaultSecurityConfig(db)
+	assert.Error(t, err)
+	assert.Nil(t, rec)
+}
+
 func TestSeedDefaultSecurityConfig_DoesNotOverwriteExisting(t *testing.T) {
 	db := newSeedTestDB(t)