Hi,

I am facing the issue that 2702I AP is not joining C5508 controller. Initially all APs were not joining due to country code and certificate validity date. Then I resolved the country code issue and applied config ap cert-expiry-ignore {mic|ssc} enable. After that few APs have joined but still some APs facinf not joining problems. Below are APs and WLC logs

AP logs

*Sep 9 20:28:04.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.10.0.5 peer_port: 5246
*Sep 9 20:28:09.999: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_handshake.c:928 Unexpected message received while expecting HelloVerifyRequest
*Sep 9 20:28:09.999: %DTLS-5-SEND_ALERT: Send FATAL : Unexpected message Alert to 10.10.0.5:5246
*Sep 9 20:28:09.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.10.0.5:5246
*Sep 9 20:29:28.999: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

AP188b.9d7b.3348#test pb display
------------------------------
Display of the Parameter Block
------------------------------
Total Number of Records : 5
Number of Certs : 4
Number of Keys : 1

-----------------------------------
Display of the SHA2 Parameter Block
-----------------------------------
Total Number of Records : 4
Number of Certs : 3
Number of Keys : 1

config ap lifetime-check mic ssc disable

AP188b.9d7b.3348#show crypto pki trustpoints | include SHA2
cn=Cisco Manufacturing CA SHA2
AP188b.9d7b.3348#

Controller

(Cisco Controller) >show certificate all ?

(Cisco Controller) >show certificate all

--------------- Verification Certificates ---------------
Certificate Name: ACT2 EC CA cert

Subject Name :
O=Cisco, CN=ACT2 ECC SUDI CA
Issuer Name :
O=Cisco, CN=Cisco ECC Root CA
Serial Number (Hex):
02
Validity :
Start : Apr 4 08:26:13 2013 GMT
End : Apr 4 08:15:43.704 2053 GMT
Signature Algorithm :
ecdsa-with-SHA384
Hash key :
SHA1 Fingerprint : 32:78:95:b8:c4:e0:3c:ec:14:ae:d9:70:ef:99:c8:d9:34:0b:80:e6
SHA256 Fingerprint : f2:a3:92:57:1e:33:54:9a:b4:36:93:ef:55:67:fb:e6:07:8b:98:28:05:71:0c:26:fe:f6:d8

----------------------------

Certificate Name: ACT2 EC ROOT CA cert

--More-- or (q)uit

Subject Name :
O=Cisco, CN=Cisco ECC Root CA
Issuer Name :
O=Cisco, CN=Cisco ECC Root CA
Serial Number (Hex):
01
Validity :
Start : Apr 4 08:15:44 2013 GMT
End : Apr 4 08:15:44.704 2053 GMT
Signature Algorithm :
ecdsa-with-SHA384
Hash key :
SHA1 Fingerprint : 52:ec:7d:bb:5c:65:11:dd:c1:c5:46:db:bc:29:49:b5:ab:e9:d0:ee
SHA256 Fingerprint : 8d:b4:9f:4b:13:ee:ad:89:c5:cc:a2:9e:c0:33:72:59:14:45:86:5b:7a:fd:e8:2c:33:76:0f

----------------------------

Certificate Name: ACT2 RSA CA cert

Subject Name :
O=Cisco, CN=ACT2 SUDI CA
Issuer Name :

--More-- or (q)uit
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
61096E7D00000000000C
Validity :
Start : Jun 30 17:56:57 2011 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : f6:96:9b:bd:48:e5:f6:12:5b:93:4d:01:e7:1f:e9:c2:7c:6f:54:7e
SHA256 Fingerprint : 65:fa:b0:4a:ef:29:8b:e3:b9:42:e6:0e:1a:94:17:b9:c0:c6:a1:8e:e0:45:f2:d1:11:4d:55

----------------------------

Certificate Name: Cisco Manufacturing CA SHA2 cert

Subject Name :
O=Cisco, CN=Cisco Manufacturing CA SHA2
Issuer Name :
O=Cisco, CN=Cisco Root CA M2
Serial Number (Hex):
02
Validity :

--More-- or (q)uit
Start : Nov 12 13:50:58 2012 GMT
End : Nov 12 13:00:17 2037 GMT
Signature Algorithm :
sha256WithRSAEncryption
Hash key :
SHA1 Fingerprint : 90:b2:e0:6b:7a:d5:da:ff:cf:d4:31:87:29:09:f3:81:37:47:1b:f8
SHA256 Fingerprint : 95:a0:e5:8a:99:8e:80:2a:c7:7a:d5:29:b9:ad:d8:e5:b4:0c:f9:0a:f3:9a:85:6d:b5:14:a3

----------------------------

Certificate Name: Cisco Root CA SHA2 cert

Subject Name :
O=Cisco, CN=Cisco Root CA M2
Issuer Name :
O=Cisco, CN=Cisco Root CA M2
Serial Number (Hex):
01
Validity :
Start : Nov 12 13:00:18 2012 GMT
End : Nov 12 13:00:18 2037 GMT
Signature Algorithm :
sha256WithRSAEncryption

--More-- or (q)uit
Hash key :
SHA1 Fingerprint : 93:3d:63:3a:4e:84:0d:a4:c2:8e:89:5d:90:0f:d3:11:88:86:f7:a3
SHA256 Fingerprint : cd:85:16:7b:39:35:e2:7b:cc:3b:0f:5f:a2:4c:84:57:88:2d:0b:b9:94:f8:82:69:a7:f7:28

----------------------------

Certificate Name: Cisco Manufacturing CA SHA1 cert

Subject Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Issuer Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
6A6967B3000000000003
Validity :
Start : Jun 10 22:16:01 2005 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:e7:83:d3:cc:9c:30:ae:de:ff:cd:eb:5e:cf:ee:08:ff:8f:16:84
SHA256 Fingerprint : c7:4d:4b:4a:14:51:9d:d0:65:19:1d:96:84:5e:8d:4e:c8:51:43:6b:c5:59:c4:a4:5e:24:ca

--More-- or (q)uit
----------------------------

Certificate Name: Cisco Root CA SHA1 cert

Subject Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Issuer Name :
O=Cisco Systems, CN=Cisco Root CA 2048
Serial Number (Hex):
5FF87B282B54DC8D42A315B568C9ADFF
Validity :
Start : May 14 20:17:12 2004 GMT
End : May 14 20:25:42 2029 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : de:99:0c:ed:99:e0:43:1f:60:ed:c3:93:7e:7c:d5:bf:0e:d9:e5:fa
SHA256 Fingerprint : 83:27:bc:8c:9d:69:94:7b:3d:e3:c2:75:11:53:72:67:f5:9c:21:b9:fa:7b:61:3f:af:bc:cd

----------------------------

Certificate Name: Airespace Build CA cert

--More-- or (q)uit
Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Build CA, emailAddress
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=
Serial Number (Hex):
01
Validity :
Start : Jul 31 13:41:31 2003 GMT
End : Apr 29 13:41:31 2013 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:50:2f:94:f5:54:b9:e4:c2:b3:cb:3c:f8:5c:6b:ca:86:0f:5f:8d
SHA256 Fingerprint : e6:50:49:d6:d5:c7:f2:3c:e7:e9:f6:5e:48:32:5d:f1:39:82:60:06:f7:61:41:a2:60:89:37

----------------------------

Certificate Name: Airspace device CA cert

Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Device CA, emailAddres
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=

--More-- or (q)uit
Serial Number (Hex):
03
Validity :
Start : Apr 28 22:37:13 2005 GMT
End : Jan 26 22:37:13 2015 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : ae:25:ff:04:12:8a:62:f0:f8:4a:e8:76:b1:fe:c3:0d:78:dd:c6:1b
SHA256 Fingerprint : 92:09:e5:a9:e3:97:5c:6c:56:bc:9c:11:d4:8b:b1:c0:a4:c5:10:97:e7:0b:02:51:ee:bd:07

----------------------------

Certificate Name: Airespace Root CA cert

Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=
Issuer Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Root CA, emailAddress=
Serial Number (Hex):
0
Validity :
Start : Jul 31 13:41:22 2003 GMT

--More-- or (q)uit
End : Apr 29 13:41:22 2013 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : 94:ec:7d:ba:e4:e6:fb:f1:e0:44:03:81:cb:ed:ef:32:79:c9:90:b5
SHA256 Fingerprint : 92:62:22:3e:92:a6:48:07:0c:86:54:c4:6f:1b:04:af:5b:1d:58:c5:7a:f2:bc:b8:76:db:41

----------------------------

Certificate Name: Old Airespace CA cert

Subject Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Issuer Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Serial Number (Hex):
0
Validity :
Start : Feb 12 23:38:55 2003 GMT
End : Nov 11 23:38:55 2012 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :

--More-- or (q)uit
SHA1 Fingerprint : 05:87:eb:cc:ab:55:a3:67:56:f4:59:75:cb:b1:65:47:45:6d:84:9c
SHA256 Fingerprint : 96:b4:a7:47:1e:50:d8:38:4c:4d:4f:49:e3:53:61:f6:50:7c:a4:8f:78:07:7b:0f:9c:8c:40

----------------------------

-------------- Identification Certificates --------------
Certificate Name: Cert for Web Authentication

Subject Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAuth), CN=1.1.1.1
Issuer Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAuth), CN=1.1.1.1
Serial Number (Hex):
0C40D980
Validity :
Start : Sep 2 19:00:01 2022 GMT
End : Sep 2 19:00:01 2032 GMT
Signature Algorithm :
sha256WithRSAEncryption
Hash key :
SHA1 Fingerprint : 6e:aa:26:46:c6:8d:c7:dd:da:d6:d0:a8:17:22:ca:13:1a:9f:29:0c
SHA256 Fingerprint : dc:a3:43:92:84:78:f7:24:32:0a:2e:bc:bf:8d:64:be:07:5e:f3:27:b8:ab:62:b7:9e:c1:db

--More-- or (q)uit

----------------------------

Certificate Name: Cert for Web Admin

Subject Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=169.254.1.1
Issuer Name :
C=US, O=Cisco Systems Inc., OU=DeviceSSL (WebAdmin), CN=169.254.1.1
Serial Number (Hex):
0C40D980
Validity :
Start : Sep 3 00:00:01 2022 GMT
End : Sep 3 00:00:01 2032 GMT
Signature Algorithm :
sha256WithRSAEncryption
Hash key :
SHA1 Fingerprint : a7:a5:d4:dc:d2:dd:d0:9b:3d:e3:c2:6c:8c:30:d3:98:bf:e4:a3:d0
SHA256 Fingerprint : 81:d4:51:92:26:8a:6f:e3:a4:97:d8:6e:53:35:3c:8e:df:b2:f0:36:78:93:0f:b1:11:ac:19

----------------------------

Certificate Name: Cisco SHA1 device cert

--More-- or (q)uit

Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT5508-K9-649ef3bf2680, emailAddress=support@
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number (Hex):
66A651E0000000123B8D
Validity :
Start : Dec 12 16:21:50 2011 GMT
End : Dec 12 16:31:50 2021 GMT
Signature Algorithm :
sha1WithRSAEncryption
Hash key :
SHA1 Fingerprint : 4a:be:fd:a6:1d:5d:57:87:c0:a3:15:e0:3a:fb:05:0b:4b:d3:46:56
SHA256 Fingerprint : e7:49:e0:1e:6f:35:b2:84:f9:6a:2e:d1:35:78:2d:c7:12:24:70:4f:95:fc:d8:b2:0a:5f:e3

----------------------------

Certificate Name: Airespace Id cert

Subject Name :
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=MWAR Device, CN=000b85236d90, emailAddress=suppo
Issuer Name :

--More-- or (q)uit
C=US, ST=California, L=San Jose, O=Airespace Inc., OU=Engineering, CN=Airespace Device CA, emailAddres
Serial Number (Hex):
04EB8E
Validity :
Start : Mar 13 02:07:09 2006 GMT
End : Mar 10 02:07:09 2016 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : e3:68:a6:0f:89:46:b5:6b:37:eb:11:8c:d0:67:2e:51:e1:d8:5e:59
SHA256 Fingerprint : f1:21:a6:ef:a6:c3:67:06:73:90:12:55:1a:a3:49:e6:09:fa:8a:b6:22:2e:85:2f:48:b3:40

----------------------------

Certificate Name: Old Airespace Id cert

Subject Name :
C=US, ST=California, L=San Jose, O=airespace Inc, CN=000b85236d90, emailAddress=support@airespace.com
Issuer Name :
C=US, ST=California, L=San Jose, O=airespace Inc, OU=none, CN=ca, emailAddress=support@airespace.com
Serial Number (Hex):
04C88C
Validity :

--More-- or (q)uit
Start : Mar 13 02:07:12 2006 GMT
End : Dec 11 02:07:12 2015 GMT
Signature Algorithm :
md5WithRSAEncryption
Hash key :
SHA1 Fingerprint : 51:0c:17:6d:94:2c:cf:e4:eb:66:ba:4b:26:0b:ed:11:26:99:3c:b1
SHA256 Fingerprint : 9b:ec:a6:03:6b:7b:60:fe:17:e1:0e:4f:b4:2d:f3:b9:f6:c5:07:bb:97:6d:db:1b:3e:7f:80