diff --git a/lib/vhost-sni-server.js b/lib/vhost-sni-server.js
index 478224c..06f396d 100644
--- a/lib/vhost-sni-server.js
+++ b/lib/vhost-sni-server.js
@@ -28,6 +28,43 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
     return dummyCerts;
   }
 
+  function handleAppScopedError(fn) {
+    return function (req, res, next) {
+      next(function (err) {
+        if (!err) {
+          fn(req, res);
+          return;
+        }
+
+        console.error(err);
+        res.writeHead(500);
+        res.end(
+            "<html>"
+          + "<head>"
+          + '<link rel="icon" href="favicon.ico" />'
+          + "</head>"
+          + "<body>"
+          + "<pre>"
+          + "<code>"
+          + "Method: " + req.method
+          + '\n'
+          + "Hostname: " + domaininfo.hostname
+          + '\n'
+          + "App: " + (domaininfo.pathname ? (domaininfo.pathname + '/') : '')
+          + '\n'
+          + "Route: " + req.url//.replace(/^\//, '')
+          + '\n'
+            // TODO better sanatization
+          + 'Error: '  + (err.message || err.toString()).replace(/</g, '&lt;')
+          + "</code>"
+          + "</pre>"
+          + "</body>"
+          + "</html>"
+        );
+      });
+    }
+  }
+
   function createSecureContext(certs) {
     // workaround for v0.12 / v1.2 backwards compat
     try {
@@ -98,41 +135,14 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
             // we always add it explicitly
             function localAppWrapped(req, res) {
               console.log('[debug]', domaininfo.hostname + '/' + domaininfo.pathname, req.url);
-              localApp(req, res, function (err) {
-                if (err) {
-                  console.error(err);
-                  res.end(
-                      "<html>"
-                    + "<head>"
-                    + '<link rel="icon" href="favicon.ico" />'
-                    + "</head>"
-                    + "<body>"
-                    + "<pre>"
-                    + "<code>"
-                    + "Method: " + req.method
-                    + '\n'
-                    + "Hostname: " + domaininfo.hostname
-                    + '\n'
-                    + "App: " + (domaininfo.pathname ? (domaininfo.pathname + '/') : '')
-                    + '\n'
-                    + "Route: " + req.url//.replace(/^\//, '')
-                    + '\n'
-                      // TODO better sanatization
-                    + 'Error: '  + (err.message || err.toString()).replace(/</g, '&lt;')
-                    + "</code>"
-                    + "</pre>"
-                    + "</body>"
-                    + "</html>"
-                  );
-                  return;
-                }
+              localApp(req, res, handleAppScopedError(function () {
                 if (!serveFavicon) {
                   serveFavicon = require('serve-favicon')(path.join(__dirname, '..', 'public', 'favicon.ico'));
                 }
 
                 // TODO redirect GET /favicon.ico to GET (req.headers.referer||'') + /favicon.ico
                 // TODO other common root things - robots.txt, app-icon, etc
-                serveFavicon(req, res, function (err2) {
+                serveFavicon(req, res, handleAppScopedError(function () {
                   res.writeHead(404);
                   res.end(
                       "<html>"
@@ -163,8 +173,8 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
                     + domaininfo.hostname + '/' + domaininfo.pathname
                     + ', but was not handled. Forcing hard stop to prevent fallthru." } }');
                   */
-                });
-              });
+                }));
+              }));
             }
             try {
               domainMergeMap[domaininfo.hostname].apps.use('/' + domaininfo.pathname, localAppWrapped);