This a a screenshot from the Controller GUI

And this is the output from the console window.
This repeated every some minutes

*May 9 11:31:41.235: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 11118,Received sequence num: 1 distance: -11117
Download image failed, notify controller!!! From:8.5.135.0 to 8.5.135.0, FailureCode:3

archive download: takes 531 seconds

*May 9 11:31:50.047: capwap_image_proc: problem extracting tar file
*May 9 11:32:21.011: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.20.11:5246
*May 9 11:32:21.015: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to interface reset
*May 9 11:32:21.015: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to interface is getting down
*May 9 11:32:21.015: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to interface reset
*May 9 11:32:21.015: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to interface is getting down
*May 9 11:32:21.083: %CAPWAP-5-AP_EASYADMIN_INFO: AP Easy Admin information - EASY_ADMIN is not set, turn off easy admin service!

*May 9 11:32:21.083: %CAPWAP-5-AP_EASYADMIN_INFO: AP Easy Admin information - Easy Admin is not enabled, turn it off!

*May 9 11:32:21.095: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to hostname change
*May 9 11:32:21.095: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to hostname change
*May 9 11:32:21.095: [m102x_set_lanport_config] Cannot enable AUX port while POE, connect AC or Inj source
*May 9 11:32:21.107: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio0 due to interface reset
*May 9 11:32:21.111: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*May 9 11:32:21.119: %DOT11-5-EXPECTED_RADIO_RESET: Restarting Radio interface Dot11Radio1 due to interface reset
*May 9 11:32:21.135: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*May 9 11:32:22.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*May 9 11:32:22.139: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*May 9 11:32:22.147: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*May 9 11:32:23.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*May 9 11:32:23.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*May 9 11:32:23.167: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*May 9 11:32:23.175: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*May 9 11:32:23.183: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*May 9 11:32:24.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*May 9 11:32:24.175: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*May 9 11:32:24.203: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*May 9 11:32:25.203: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
examining image...
extracting info (288 bytes)
Image info:
Version Suffix: k9w8-.153-3.JF8
Image Name: ap3g2-k9w8-mx.153-3.JF8
Version Directory: ap3g2-k9w8-mx.153-3.JF8
Ios Image Size: 12728832
Total Image Size: 14674432
Image Feature: WIRELESS LAN|LWAPP
Image Family: AP3G2
Wireless Switch Management Version: 8.5.135.0
MwarVersion:08058700.First AP Supported Version:07066E02.

Image version check passed

Extracting files...
*May 9 11:32:31.135: AP has S
ap3g2-k9w8-mx.153-3.JF8/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/U2.bin (8176 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/F2.bin (15184 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/file_hashes (8366 bytes)HA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*May 9 11:32:31.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.20.11 peer_port: 5246
*May 9 11:32:31.395: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.0.20.11 peer_port: 5246
*May 9 11:32:31.395: %CAPWAP-5-SENDJOIN: sending Join Request to 10.0.20.11perform archive download capwap:/c3700 tar file
*May 9 11:32:31.407: %CAPWAP-6-AP
extracting ap3g2-k9w8-mx.153-3.JF8/8006.img (605570 bytes)_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
extracting ap3g2-k9w8-mx.153-3.JF8/B5.bin (2333 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/img_sign_rel_sha2.cert (1371 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/E5.bin (2213 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/Y2.bin (7008 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/final_hash.sig (512 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/info (288 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/MCU.bin (9031 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/HA2.bin (5840 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/final_hash (141 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/R5.bin (4547 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/X2.bin (16352 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/X5.bin (1916 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/triggerfish_cpld.img (2460 bytes)
ap3g2-k9w8-mx.153-3.JF8/html/ (directory) 0 (bytes)
ap3g2-k9w8-mx.153-3.JF8/html/level/ (directory) 0 (bytes)
ap3g2-k9w8-mx.153-3.JF8/html/level/1/ (directory) 0 (bytes)
ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/cisco-logo-2007.gif (1648 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/itp-logo.png (2822 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/background_web41.jpg (732 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/info.gif (399 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/images/login_homeap.gif (19671 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/sitewide.js (17290 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/forms.js (20442 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/config.js (29225 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/config-oeap.js (779 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/back.shtml (512 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/officeExtendap.css (41801 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/ap_home.shtml.gz (1540 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/jquery-1.11.3.min.js (95957 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/1/appsui.js (563 bytes)
ap3g2-k9w8-mx.153-3.JF8/html/level/15/ (directory) 0 (bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/easyApManagement.html (967 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/officeExtendapMain.shtml.gz (3350 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/officeExtendapConfig.shtml.gz (3147 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/officeExtendapBanner.htm (7514 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/officeExtendapSummary.htm (985 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/officeExtendapHelp.htm (5721 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/officeExtendapEvent.shtml.gz (988 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/easyApManagementSummary.shtml.gz (3371 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/html/level/15/easyApManagementConfig.shtml.gz (4999 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/Q2.bin (8176 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/F5.bin (4220 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/ap3g2-k9w8-mx.153-3.JF8 (230279 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/V2.bin (12848 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/HA5.bin (2049 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/C2.bin (30368 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/U5.bin (3609 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/R2.bin (15184 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/ap3g2-k9w8-xx.153-3.JF8 (12724480 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/ap3g2-k9w8-tx.153-3.JF8 (73 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/uart_firmware_upgrade.bin (18818 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/Y5.bin (1875 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/8004.img (576021 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/C5.bin (16361 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/img_sign_rel.cert (1375 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/V5.bin (514 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/B2.bin (10512 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/Q5.bin (3957 bytes)
extracting ap3g2-k9w8-mx.153-3.JF8/E2.bin (19856 bytes)
extracting info.ver (288 bytes)
*May 9 11:41:15.675: Currently running a Release Image

*May 9 11:41:15.699: Using SHA-2 signed certificate for image signing validation.
*May 9 11:41:15.767: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 4E78A210000000000007) has expired. Validity period ended on 21:43:46 UTC Dec 4 2022
*May 9 11:41:15.771: Image signing certificate validation failed (1A).

*May 9 11:41:15.771: Failed to validate signature
*May 9 11:41:15.771: Digital Signature Failed Validation (flash:/update/ap3g2-k9w8-mx.153-3.JF8/final_hash)
*May 9 11:41:15.771: AP image integrity check FAILED
Aborting Image Download

*May 9 11:41:17.799: DTLS_CLIENT_ERROR: ../capwap/base_capwap/dtls/base_capwap_dtls_record.c:169 Pkt too old last_seq_num : 11119,Received sequence num: 1 distance: -11118
Download image failed, notify controller!!! From:8.5.135.0 to 8.5.135.0, FailureCode:3

archive download: takes 535 seconds