diff --git a/physical/raft/raft.go b/physical/raft/raft.go
index d5fc5cf177..a3277c79ab 100644
--- a/physical/raft/raft.go
+++ b/physical/raft/raft.go
@@ -956,9 +956,7 @@ func (b *RaftBackend) RestoreSnapshot(ctx context.Context, metadata raft.Snapsho
 		},
 	}
 
-	b.l.RLock()
 	err := b.applyLog(ctx, command)
-	b.l.RUnlock()
 
 	// Do a best-effort attempt to let the standbys apply the restoreCallbackOp
 	// before we continue.
diff --git a/vault/raft.go b/vault/raft.go
index efa05b7ac4..cd3bee3aee 100644
--- a/vault/raft.go
+++ b/vault/raft.go
@@ -632,12 +632,6 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co
 		// Purge the cache so we make sure we are operating on fresh data
 		c.physicalCache.Purge(ctx)
 
-		// Refresh the raft TLS keys
-		if err := c.checkRaftTLSKeyUpgrades(ctx); err != nil {
-			c.logger.Info("failed to perform TLS key upgrades, sealing", "error", err)
-			return err
-		}
-
 		// Reload the keyring in case it changed. If this fails it's likely
 		// we've changed master keys.
 		err := c.performKeyUpgrades(ctx)
@@ -675,6 +669,12 @@ func (c *Core) raftSnapshotRestoreCallback(grabLock bool, sealNode bool) func(co
 			}
 		}
 
+		// Refresh the raft TLS keys
+		if err := c.checkRaftTLSKeyUpgrades(ctx); err != nil {
+			c.logger.Info("failed to perform TLS key upgrades, sealing", "error", err)
+			return err
+		}
+
 		return nil
 	}
 }