nightly.tails.boum.org is a different server (or IP address at least) from tails.boum.org. The cert that I get over Tor is also for www.lizard, serial numbers starts with 00:92:34. You might have been MITMed, but it's still a self-signed cert for that server, which is the error most people will see. Weirdly, it asks for authorization over HTTPS but not over HTTP. They should upload a PGP signature and then it wouldn't matter.