> Fallback to HTTP reachable via port 80 on the private IP for the server.

How, exactly, is that better than using a common cert? What threat do you propose that applies to HTTPS with a shared cert, and not to HTTP?