Tor exit node operator arrested in Russia (TorServers.net blog)

It's fixed now.

It appears this site was previously using certificates from StartCom, the CA purchased by WoSign and which has subsequently been essentially distrusted (for new issuances) as a result of WoSigns behaviour, extensively documented on m.d.s.policy.

They switched to Let's Encrypt, but seem to have made some sort of mistake when setting things up, such that although a new certificate was obtained as scheduled 60 days after the initial one, it was not put into effect, presumably until they got lots of people complaining that their site no longer worked as intended when, a month later, the old one expired.

This type of failure seems to be relatively common, either from not actually reloading a web server after the config is updated, or from not updating the configured certificate at all (e.g. explicitly copying the new files on first use, but not arranging for them to be re-copied when the symlink are updated after a renewal). I haven't seen any one particular recurring goof, just a general pattern.

Unfortunately Let's Encrypt itself doesn't warn you so long as you obtain the newer certificate, you have to use a third party (there are lots, including free options) to monitor things and spot if your certificate seems almost expired, or of course you could hire administrators who are pro-active about such things.