I was recently doing some labbing of APIC-EM and IWAN deployments. I got to the point where my HUB was deployed, and then I attempted to deploy 2 branches but failed. I was getting these errors on my Routers:
PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed
%PKI-3-SOCKETSELECT: Failed to select the socket.
APIC-EM seems to deploy IWAN with PKI authenticated IKEv2 so my spokes/branches were getting stuck failing to auth and DMVPN never came up.
The resolution ended up being to just turn off the CRL check on HUB and SPOKES:
crypto pki trustpoint sdn-network-infra-iwan
revocation-check none