to handle certificate expiration, you can provide an updated firmware version which pins both certificates (a so-called pinset). You’d have to extend wifi_tls_cert_pinning to consider both public keys.
For a production scenario, I’d recommend to always use a pinset with one or more backup certificates so that you can still distribute firmware updates if there’s an issue with your primary certificate.
Regarding the error, it’s difficult to say what is the problem without more information. I recommend you verify the certificate chain that the server presents. You can also google for mbedtls_ssl_handshake 2700 for some hints on what may be wrong and how to analyze the issue.