I was testing out the new free ASM offering from Sprocket Security and noticed it was picking up internal sites where I have the free Let’s Encrypt Certs. I had also noticed that Bitsight was seeing them as well. I originally thought I must have included the internal site names as alt names in a cert that is exposed to the internet, like the one for the mail server, but then I did a quick search and came up with https://crt.sh/?q=strategy.com and was reminded about https://letsencrypt.org/docs/ct-logs/
You may want to check what certs are associated with your domains and make sure only authorized certs exist and wild card certs are limited.
If you are interested in trying out ASM from Sprocket Security you can find out more at https://www.sprocketsecurity.com/solutions/attack-surface-management. For a free option, it does appear to give a nice interface to give you a quick overview of your exposed infrastructure.
If you are curious, I use the rfc2136 dynamic DNS update module for certbot to auth the internal servers without having to expose the sites to the internet, but having these certs publicly listed makes me reconsider my naming convention since it may give away what services I have running on my internal network.