To clarify, the current certificate is actually part of a web proxy Docker container 'ipac/proxy' that IPAC runs on the server. IPAC is using a free certificate from Let's Encrypt that they are manually having to renew approximately every 3 months. I've never been asked to manage the web proxy or certificate on this server.
If you are not ready to move Firefly from this 'temporary' server yet, we could replace IPAC's proxy container with a managed web proxy that NCSA could get a no-cost real certificate for that would be valid for 2 years.
Or we could probably just proxy it from the existing lsst-web.ncsa.illinois.edu server, so that it would be accessible via https://lsst-web.ncsa.illinois.edu/firefly .