Maintaining SSL/TLS is hard...
Not even experts are safe from the many pitfalls that exist in implementations. Qualys, known for their Qualys SSL Labs Vulnerability Scanner (used in my research), allowed the expiration of their blog’s certificate.
The relevant site: https://blog.qualys.com/
Qualys rates their own site with a ‘T’ for ’not trustworthy’:
See Let’s Encrypt for free SSL/TLS certificates and methods to automatically update them on your servers before they expire. It is expected that wildcard certificates will be supported by Let’s Encrypt in 2018. There will not be an excuse for having invalid certificates anymore, not even (or especially?) for Qualys.