Hi @Leo Laohoo 

Thanks for attention and support

 WLC: sh sysinfo

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 8.2.166.0
Bootloader Version............................... 1.0.20
Field Recovery Image Version..................... 7.6.101.1
Firmware Version................................. PIC 20.0

Build Type....................................... DATA + WPS

System Name...................................... WLC-DC-01
System Location.................................. DC-Marina Baia
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
IP Address....................................... 10.212.0.1
IPv6 Address..................................... ::
Last Reset....................................... Power on reset
System Up Time................................... 79 days 3 hrs 36 mins 58 secs
System Timezone Location......................... (GMT) London, Lisbon, Dublin, Edinburgh
System Stats Realtime Interval................... 5
System Stats Normal Interval..................... 180

--More-- or (q)uit

Configured Country............................... BR - Brazil
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +28 C
External Temperature............................. +32 C
Fan Status....................................... 3500 rpm

State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 3
Number of Active Clients......................... 65

Burned-in MAC Address............................ 00:42:5A:77:CD:A0
Maximum number of APs supported.................. 75
System Nas-Id....................................
WLC MIC Certificate Types........................ SHA1/SHA2

WLC: sh time

(Cisco Controller) >show time

Time............................................. Wed Sep 14 12:07:57 2022

Timezone delta................................... 0:0
Timezone location................................ (GMT) London, Lisbon, Dublin, Edinburgh

NTP Servers
NTP Polling Interval......................... 600

Index NTP Key Index NTP Server Status NTP Msg Auth Status
------- ----------------------------------------------------------------------------------------------
1 0 45.222.43.250 Not Synched AUTH DISABLED

AP: sh version

For some that I was unable to identify the AP does not allow me to access with the credentials that I configured, but while it was starting I collect the version info and In hope it could be helpful.

isco AIR-CAP3602I-A-K9 (PowerPC) processor (revision A0) with 188398K/60928K bytes of memory.
Processor board ID FTX1631R0LL
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.2.166.0
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 30:F7:0D:29:01:8B
Part Number : 73-14521-02
PCB Serial Number : FOC16303FNA
Top Assembly Part Number : 800-35852-02
Top Assembly Serial Number : FTX1631R0LL
Top Revision Number : C0
Product/Model Number : AIR-CAP3602I-A-K9

Additionally to the this information I have output I get when I coonect the AP to the network.

*Mar 1 00:00:31.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Jul 25 11:40:32.075: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3600 Software (AP3G2-K9W8-M), Version 15.3(3)JC14, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sun 29-Oct-17 17:15 by prod_rel_team
*Jul 25 11:40:32.075: %SNMP-5-COLDSTART: SNMP agent on host AP30f7.0d29.018b_P1_B_Esq is undergoing a cold start
*Jul 25 11:40:33.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up

*Jul 25 11:40:44.307: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Jul 25 11:40:44.735: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully

*Jul 25 11:40:44.911: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Jul 25 11:40:44.911: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jul 25 11:40:45.511: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
*Jul 25 11:40:45.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jul 25 11:40:45.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Jul 25 11:40:46.955: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Jul 25 11:40:46.955: DPAA Initialization Complete
*Jul 25 11:40:46.955: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Jul 25 11:40:47.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Jul 25 11:40:48.975: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Jul 25 11:40:49.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Jul 25 11:40:50.635: Currently running a Release Image
validate_sha2_block: Failed to get certificate chain
*Jul 25 11:40:51.055: Using SHA-1 signed certificate for image signing validation.
*Jul 25 11:40:57.391: APAVC: Succeeded to activate all the STILE protocols.

*Jul 25 11:40:57.391: APAVC: Registering with CFT

*Jul 25 11:40:57.391: APAVC: CFT registration of delete callback succeeded

*Jul 25 11:40:57.391: APAVC: Reattaching Original Buffer pool for system use

*Jul 25 11:40:57.391: Pool-ReAtach: paks 18174 radio17566

*Jul 25 11:41:04.907: AP image integrity check PASSED

*Jul 25 11:41:04.915: Non-recovery image. PNP Not required.

*Jul 25 11:41:05.027: validate_sha2_block:No SHA2 Block present on this AP.

*Jul 25 11:41:05.043: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jul 25 11:41:05.043: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Jul 25 11:41:08.007: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Jul 25 11:41:09.111: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jul 25 11:41:10.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jul 25 11:41:10.219: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Jul 25 11:41:11.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Jul 25 11:41:15.111: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 0 CLI Request Triggered
*Jul 25 11:42:08.007: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Sep 14 15:01:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.212.0.1 peer_port: 5246
*Sep 14 15:01:38.211: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.212.0.1
*Sep 14 15:01:38.211: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.212.0.1:5246
*Sep 14 15:02:43.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.212.0.1 peer_port: 5246
*Sep 14 15:02:43.211: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.212.0.1
*Sep 14 15:02:43.211: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.212.0.1:5246
*Sep 14 15:03:48.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.212.0.1 peer_port: 5246
*Sep 14 15:03:48.211: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.212.0.1
*Sep 14 15:03:48.211: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.212.0.1:5246
*Sep 14 15:05:09.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.212.0.1 peer_port: 5246
*Sep 14 15:05:09.211: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.212.0.1
*Sep 14 15:05:09.211: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.212.0.1:5246
*Sep 14 15:06:30.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.212.0.1 peer_port: 5246
*Sep 14 15:06:30.223: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.212.0.1
*Sep 14 15:06:30.223: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.212.0.1:5246
*Sep 14 15:07:35.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.212.0.1 peer_port: 5246
*Sep 14 15:07:35.211: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.212.0.1
*Sep 14 15:07:35.211: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.212.0.1:5246
*Sep 14 15:08:40.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.212.0.1 peer_port: 5246
*Sep 14 15:08:40.211: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.212.0.1
*Sep 14 15:08:40.211: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.212.0.1:5246

Have you gone through the field notice I linked below?
Upgrade your WLC to the latest version of software which supports all your APs and WLC:
https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#ctr-ap_support
And then follow the steps in the field notice.  Briefly:
- Upgrade WLC
- Apply config workaround
- On WLC disable NTP and set clock back to before WLC or AP certs expired
- Allow all APs to join, download new software and pick up the config change after they have reloaded to new software.
- When all are upgraded and have the config applied you should be able to re-enable NTP.

Hi @Rich R 

The link you've provided was very helpful. I was able to rejoin the APs by desibling NTP and manually set the date and time.

I really appreciate you support.