8.0.110.0 is now out.  

This bug has been fixed with this release.  I've tested it myself.

Got this from TAC today:

This behavior seems like the bug CSCur43050:

https://tools.cisco.com/bugsearch/bug/CSCur43050/?referring_site=ss

As this is a single AP try to make an upgrade of the image on it as the bug sugests as a known fixed release:

https://software.cisco.com/download/release.html?mdfid=286281141&flowid=71622&softwareid=280775090&release=15.3.3-JA1&relind=AVAILABLE&rellifecycle=ED&reltype=latest

New Aironet APs with factory installed recovery IOS are able to join the controller 8.0.100.0 and download 15.3(3)JA IOS. But after the AP reload, the APs are unable to join the controller. On the AP, logs similar to the following are seen:

*Oct 16 12:39:06.231: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Oct 16 13:14:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: ***.***.***.*** peer_port: 5246Peer certificate verification failed FFFFFFFF

*Oct 16 13:14:56.127: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed!
*Oct 16 13:14:56.127: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to ***.***.***.***:5246
*Oct 16 13:14:56.127: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to ***.***.***.***:5246

Another symptom of this problem is that the AP may be able to join the 8.0.100.0 controller, download the IOS code, boot up and join the controller OK ... but when it goes to upgrade to newer 8.x code, it gets stuck in a loop failing the download.

*Nov 11 10:13:53.003: Currently running a Release Image
*Nov 11 10:13:53.027: Using SHA-2 signed certificate for image signing validation.
*Nov 11 10:13:53.091: Image signing certificate validation failed (FFFFFFFF).
*Nov 11 10:13:53.091: Failed to validate signature
*Nov 11 10:13:53.091: Digital Signature Failed Validation (flash:/update/ap3g2-k9w8-mx.v153_80mr.201410311616/final_hash)
*Nov 11 10:13:53.091: AP image integrity check FAILED
Aborting Image Download
Download image failed, notify controller!!! From:8.0.100.0 to 8.0.102.34, FailureCode:3
archive download: takes 339 seconds
*Nov 11 10:14:02.399: capwap_image_proc: problem extracting tar file

Conditions:
Seen only with APs that were manufactured in August, September or October, 2014 - all Aironet APs were affected EXCEPT the 700 series. Seen with WLCs running 8.0.100.0 or an 8.0.100.x special.

If the WLC was manufactured in September 2014, or later (i.e. has a SHA2 MIC), then the first symptom is seen, i.e. the AP joins the 8.0.100 WLC, downloads the image, but then fails to rejoin.

If the WLC was manufactured before September 2014 (i.e. does not have a SHA2 MIC), then the second symptom is seen, i.e. the AP can join the 8.0.100 WLC OK, but then will fail download during a subsequent upgrade.

Also seen with new APs trying to join a controller running IOS-XE 3.6.0 (15.3(3)JN k9w8 image.) (Track CSCur50946 for the IOS-XE fix)

Workaround:
If the WLC has software version 7.6 or earlier, avoid upgrading to 8.0.100.0 and upgrade the WLC directly to version 8.0.110.0.

Downgrade to AireOS 7.6.130.0, or to IOS-XE 3.3, if the APs are supported in the earlier code.

If the WLC has software version 8.0.100.x, follow these steps:

1. Upgrade the WLC to software version 8.0.104.0:
- All controllers
https://software.cisco.com/download/special/release.html?config=020a1d7471d1b9f18931c04da727ff74
- WISM2
https://software.cisco.com/download/special/release.html?config=03c066b2c18c8631a0422589c140e33e
2. Allow all APs to join the WLC and upgrade to software version 8.0.104.0.
3. Upgrade the WLC to software version 8.0.110.0.
Note: Step 2 is required to push the 8.0.104.0 special software version onto the APs in order to allow all future upgrades.