For your security through obscurity approach, this is a extremely horrible idea. When you issue a certificate for your server, the certificate and its details (hostname) will be recorded in public database in order to satisfy CA/B and browser requirements. This means anyone who bored enough to scan the database (CT log servers) will be able to find these hostnames and connect to it. (If allowed)
Thus, it's better to either use a wildcard certificate, or just use a self-signed certificate for these communications. (Since self signed certificate will not send itself to CT log servers)
If you Google certbot nsone, the instructions are located on certbot website. User Guide — Certbot 2.7.0.dev0 documentation