An expired certificate is a valid certificate where the end date (“expires-on date”) baked into the certificate is in the past.
A revoked certificate is a valid certificate that passes all checks on the certificate itself but where a supplementary check (e.g. via OCSP or CRL) shows that the issuer has revoked the certificate.
There are any number of invalid certificate scenarios but the most common in my experience is: don’t have a valid certification chain e.g. can’t follow the chain from the actual certificate owner to the Certificate Authority that signed it, to the CA that signed that, …, to a root Certificate Authority that is baked into the operating system or other software that is attempting to validate the certificate - for example, a self-signed certificate - or a root CA that I have chosen not to trust.
A common different type of scenario is that the certificate itself passes all checks (valid, not expired, not revoked) but it certifies a domain other than what the client is expecting ! This is typically a misconfiguration, intentional or otherwise, but could in theory be a MITM attack.
Most of the time when an organisation unintentionally fails to renew a certificate there will be a period of time after the certificate expires and before anyone notices / anyone complains at the organisation. Once that notification is achieved … they can renew the certificate or issue an advisory. If they have time to issue an advisory in advance then they likely have time to renew the certificate in advance, and there will be no problem.
So there is very likely to be some kind of gap in time where you have no information other than that the certificate has expired.
You would think that it would be good for the server side to warn the organisation about certificates that have impending expiry.
This is totally different from the “certificate revoked” situation where an advisory would be very appropriate but it may be impossible to provide an advisory in advance.
I opened the Chromium-based Brave browser that I had already installed and downloaded the LastPass .xpi file from LastPass. I then opened PureBrowser and “installed from a file” and it worked fine. So perhaps the issue with PureBrowser on AMO is once again the User Agent string.