Too bad you don't remember which exit node it was, it would help. Yeah, it could be a compromised exit node trying to perform a mitm attack. It would be interesting to see that certificate. Anyway, there are two things that you can do to avoid this in the future.
First, install the Certificate Patrol add-on for Firefox
https://addons.mozilla.org/en-US/fir...ficate-patrol/
It stores the certificates from every site you visit and checks to see if they change before the expiration date. You will get a lot of notifications about cert changes but its almost always benign. I suggest you install that in every Firefox profile you use as its a very helpful add-on in general.
Secondly, compromised "bad" nodes are a bit common actually. There's a tor hidden service called InspecTor that checks nodes for bad versions, javascript injections, sql injections, replacing https links for http etc.
http://xqz3u5drneuzhaeo.onion/users/badtornodes/
To protect against exit nodes like that you can select the set of bad nodes you want depending on how paranoid you are, create an ExcludeNodes text block with their fingerprints and edit your torrc file to avoid using them as exit nodes permanently.
Be aware that ExcludeNodes and ExcludeExitNodes are different options in the torrc file. ExcludeNodes will completely avoid using them in any part of the chain be it entry node, middle or exit. ExcludeExitNodes just excludes them from being used as exit nodes. Your choice.
If you find a strange node again you can report it to InspecTor to make the Tor network a little bit better. Hope this helps.