RDS Session Host RDP SSL Certificate Expiring

The solution here is to make everyone connect to rdweb.contoso.com, and never use the rdweb.contoso.local address. In most cases this will require either split DNS or NAT hairpinning/loopback to work properly.

By using the public name, your godaddy SSL certificate will work properly. No reputable provider will give you a signed ssl cert for any *.local address since there's no way to prove ownership (in fact, you don't own it, but as long as it's only on your LAN it doesn't break anything else if someone else uses it on their LAN).

Using a self signed certificate is bad - particularly because it trains users to completely ignore the warning about the certificate being invalid. That makes it much easier to trick someone into connecting to a different service or hijacking the connection.

Assuming you have your contoso.com DNS at godaddy, and your contoso.local DNS in active directory, you can add contoso.com to your AD DNS servers, with all the records it has at godaddy. But when you get to rdweb, instead of the public IP address, put in the private address.

Or just make your firewall/NAT device allow connections from the LAN to connect via the public address. This is often called NAT hairpinning, loopback, or a few other similar names.

Your connection broker should not be in collection.domain.com, only the session hosts should be. The session hosts talk to the session broker, not the clients.