- @kamleshkatariya1994             What does that mean ?
                                                       What did you try ?

 M.

We issued a command to ignore the MIC and SSC certificates. However, the AP did not join as expected. Additionally, the WLC was completely factory reset.
below setings apply in WLC

Upgrade to a fixed software release.
Enter the config ap cert-expiry-ignore {mic|ssc} enable command.
If any of the Cisco APs that cannot join have not downloaded the fixed software, do the following:

Disable NTP.
Set the clock back to a time before the Cisco WLC certificate expired (this might keep newer Cisco APs from joining).
Have all Cisco APs join the Cisco WLC, download new software, and rejoin.
Set the clock to the correct time and re-enable NTP.

    - @kamleshkatariya1994                                  >...did not join 'as expected'
                                                                       - What do you mean by that ?
                                                                       - Can you post the full boot process of an impacted access point ?
                                                                       - What software version is the 2504 controller running ?

 M.

1) Access Point error

*Dec 1 10:04:34.007: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:509 Certificate verified failed! *Dec 1 10:04:34.007: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.17.68.201:5246 *Dec 1 10:04:34.007: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.17.68.201:5246

2) WLC 2504 software version ::: 8.5.182.0

Cisco WLC 2500 was on and APs were connected but after rebooting the WLC, the APs did not connect and an error occurred.
(And the same WLC 2500 is running.)

*Dec 1 10:04:34.007: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:509 Certificate verified failed! *Dec 1 10:04:34.007: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 172.17.68.201:5246 *Dec 1 10:04:34.007: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.17.68.201:5246

What date is the WLC rolled back to?

Date: 01/12/2025

---

@kamleshkatariya1994 wrote:

Date: 01/12/2025

---

That is not enough. 

Roll it back to 2018 or something.

2021

 - @kamleshkatariya1994  FYI : https://community.cisco.com/t5/wireless/cisco-ap-air-cap1702i-d-k9-not-join-in-wlc-2500/m-p/5351939/highlight/true#M287749

M.

---

@kamleshkatariya1994 wrote:

2021

---

Da fuq?

   - @kamleshkatariya1994    On the access point you can use the command :  show crypto ca cert
                                             to verify the certificate validity interval

                                             Issue the show time command from the controller CLI in order to verify the date and time set on your controller falls within this validity interval. If the controller time is higher or lower than this certificate validity interval, then change the controller time to fall within this interval.

  M.