Thanks for the quick response, ammahend

I just started a log for the capwap debug messages, and will share them after I see the results and whether or not any messages appear from the LAP in question.

I'm not sure how to get the AP logs if the AP isn't registering with the WLC.
Can you point to any documentation on that?

I was saying if you can console into the AP, but if the console is not accessible, it’s fine, let’s start with capwap debug. 

Aloha, ammahend and rrudling
Ammahend, the output log is attached, but it contains more that just the capwap debug output. 
Given what I've read on troubleshooting this issue, I issued additional commands.
The two AP's are on different controllers, so I was able to run the commands simultaneously.
The two logs were very similar in what messages were received.
I've attached the results of one of the logs.
The commands:
config session timeout 60
config serial timeout 60
debug mac addr <AP MAC address>
debug client <AP MAC address>
debug lwapp events enable
debug lwapp errors enable
debug pm pki enable
debug dtls all enable
debug capwap events enable

rrudling,
I had read that field notice and I tend to agree. The only thing that made me wonder is that I get no error in the log files that I collected that specifically identifies certificate failure. I realize, though, that I'm looking at the WLC logs, and that notice discusses the output of the AP, which I cannot easily access (mounted on a 12 foot high ceiling).
I *do* have a spare AP that I can use as a test and look at its output when connected to the switch.

There are a few hurdles that I need to get past in order to update the WLC controller software.
Our SMARTNET contract expired and I'm waiting on our fiscal office to issue the PO for the renewal.
You are correct on the software version.
I'm assuming that updating the WLC software to 8.5.182.0 also provides the update for the AP's to 15.3(3)JF15.
Is that correct?

Regards,
Grant

if SSH was enable before you assigned static IP, you should still be able to SSH and get logs, get output for show capwap ip config.

run these commands, see if it makes any difference for the APs in question.

(Cisco Controller) >config ap cert-expiry-ignore ssc enable

(Cisco Controller) >config ap cert-expiry-ignore mic enable

> I'm assuming that updating the WLC software to 8.5.182.0 also provides the update for the AP's to 15.3(3)JF15.
Is that correct?
Yes you can see the WLC version and corresponding AP version at https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html#ctr-ap_support

Also as per FN: 

If you run AireOS Version 8.0 or later, then in order to determine when the WLC certificate expires, enter this command and look for the Cisco SHA1 device cert entry:

WLC_CLI: show certificate all

Aloha, all

ammahend,
Sadly, since both AP's were in use prior to these disruptions, SSH connections to both AP's are disabled.

rrudling,
The WLC5508 controllers are currently running Cisco Wireless Release 7.2.103.0, so the closest command I can use is "show local-auth certificates".
The certificate that command shows *is* expired, as of the 1st of this month.
The headscratcher for me is that everything I can see about that cert ties it to the webUI, not the AP's.
"show local-auth certificates", for instance, responds with:
Certificate issuer .............................. vendor
CA certificate: Not installed.
Device certificate: Not installed.
Certificate issuer .............................. cisco
Device certificate:
Valid: 2012 Sep 1st, 16:45:19 GMT to 2022 Sep 1st, 16:55:19 GMT

The response to "show certificate lsc summary" contains:
LSC Enabled...................................... No
LSC CA-Server.................................... None
LSC AP-Provisioning.............................. No
LSC Certs:
CA Cert...................................... Not Configured
RA Cert...................................... Not Configured

If I issue the "show local-auth statistics" command, the Certificate operations section shows:
Certificate operations:
Local device certificate load failures .......... 0
Total peer certificates checked ................. 0
Failures:
CA issuer check ............................... 0
CN name not equal to identity ................. 0
Dates not valid or expired .................... 0

Am I making wrong assumptions on what I see?
At any rate, I will be testing tomorrow with the spare AP, so I hope to have more answers from the AP's perspective.

Regards,
Grant

I just finished testing with my spare AP, and as rrudling surmised, the APs are rejecting the expired certificate.

*Mar 1 00:01:02.791: AP has SHA2 MIC certificate - Using SHA1 MIC certificate for DTLS.
*Sep 23 21:31:00.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.91 peer_port: 5246
*Sep 23 21:31:00.127: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.
The certificate (SN: 15814C390000000B2D53) has expired.
Validity period ended on 16:55:19 UTC Sep 1 2022Peer certificate verification failed 001A

*Sep 23 21:31:00.127: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed!
*Sep 23 21:31:00.127: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 10.0.0.91:5246
*Sep 23 21:31:00.127: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.0.0.91:5246
*Sep 23 21:31:20.247: %CDP_PD-4-POWER_OK: All radios disabled - NEGOTIATED inline power source

My supervisor tells me that we're waiting on the fiscal office to issue the PO for the SMARTNET renewal, so there's noting I can do but wait.
Fortunately the problem only impacts 2 APs, and both of them are in areas of little use.
I thank you both for your assistance
Regards,
Grant