Author here. Just wanted to comment on the Certificate Transparency issues that some of you have raised:
My company (Datto [1]; we're hiring, see [2]) sells backup appliances which our customers place in their company network (much like you would place a router in your own network). Since we do not control anything other than our appliance inside our customers' networks, we went this route to provide a secure web interface to our appliance. And since the 65k servers/appliances (now more like 80k) are located in tens of thousands of different networks, leaking the internal IP isn't bad at all -- especially since there is no way to correlate them with the customer.
For normal "internal servers" within a company, I'd probably recommend using a wildcard cert and an internal DNS server.
Also: Yeyy, I'm on HN!
[2] https://news.ycombinator.com/item?id=19071727 or https://www.datto.com/careers/
See:
https://github.com/cloudflare/cfssl