Hi Chris,
I updated one orderer TLS certs in the system channel but it's not included in the raft consensus. If i try to fecth the channel confing block from the updated orderer i get SERVICE UNAVAILABLE.
On the updated orderer i get:
2021-05-06 18:21:23.035 CEST [orderer.consensus.etcdraft] campaign -> INFO 272 2 [logterm: 364, index: 371] sent MsgPreVote request to 1 at term 364 channel=sys-channel node=2 2021-05-06 18:21:23.036 CEST [orderer.consensus.etcdraft] campaign -> INFO 273 2 [logterm: 364, index: 371] sent MsgPreVote request to 3 at term 364 channel=sys-channel node=2 2021-05-06 18:21:27.220 CEST [comm.tls] ClientHandshake -> ERRO 274 Client TLS handshake failed after 1.087456ms with error: public key of server certificate presented by orderer0.obsucureddomain:7050 doesn't match the expected public key remoteaddress=xxxxxx:7050

So I'm no confident to update one more orderer in the system channel. Plus to that, if I updated all my orderers in the system channel, then replace the tls certs, and restart the orderer then i would find 2 orderers updatet in the system channel and not in the application channel which will lose the quorum.

I don't understand what's wrong, I cannot lose my production channels and data.