when you see a website that's HTTPS rather than HTTP, it means the connection is secure. most popular browsers will display a green padlock in the URL bar to symbolise that (and colour it yellow or red if something's wrong).
to verify that a connection is secure (and not just someone saying it's secure), you need a certificate, a file that verifies that you are who you say you are.
a certificate can be revoked at any time by anyone. you can deny facebook's certificate if you like, and facebook will stop loading for you. more importantly (and practically), the issuer of the certificate can deny it, and the site will stop working until they get a new one. this means that if facebook "goes rogue", the CA (certificate authority) is allowed to remove their certificate, guaranteeing (in theory) that if the site is HTTPS, it's definitely secure.
these certificates don't last forever. they need to be renewed, to prove that you're still there and still complying with them. gargron had certificate auto-renewal set up, which means the certificate will automatically get renewed when it's close to expiring. so why did the cert expire? why did .social go down? the answer is because while a new certificate was installed, it wasn't actually loaded. nginx, the server software that .social uses, was supposed to automatically load the new cert, but it didn't for some reason (computers are weird!), and thus .social went offline for about an hour.