You absolutely must have the controller running, and it must be contactable to enroll a client. The excellent 5-part (very detailed) series on bootstrapping trust gets into that.
At the end of the day your phone will make a CSR (certificate signing request) and send it to the controller. That needs to succeed. If your controller is down (or if it's misconfigured perhaps advertising the wrong ports) then that would be why it failed. After that jwt expired - take it to jwt.io and paste it into their jwt debugger... see what the "iss" (shown below) shows you. Verify that is the external address of YOUR controller (you can see mine shown, on port 8441) and verify your phone can reach it.
