Certs stopped working? NET::ERR_CERT_COMMON_NAME_INVALID

My domain is:
bmrx.dev

I ran this command:
sudo certbot --apache

It produced this output:
Normal output, no errors

My web server is (include version):
bmrx.duckdns.org Doh
Apache2

The operating system my web server runs on is (include version):
Debian 10 (Buster)

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

I ran certbot when I first got this domain, certs went through and I didn’t even have to mess around with the VHost file. Outside of an odd issue with google domains where going to https://bmrx.dev did not work but going to https://www.bmrx.dev did. Simply used a redirect in thier control panel for the domain (Synthetic records) to redirect to www.bmrx.dev and everything was working fine and dandy.

Couple weeks ago or so they stopped working with google chrome giving this error: NET::ERR_CERT_COMMON_NAME_INVALID.

https://crt.sh/?q=bmrx.dev according to this google issued some certs to my site, I think this is just something that comes with the .dev domain honestly this is all black magic to me so it’s weird and I’m probably in over my head a bit.

So I tried deleting my certs and just remaking one (sudo certbot delete) and removed the files in /etc/letsencrypt/archive/ and /renewal/, I also however deleted my old .conf file without thinking it over, so I just remade what I thought was correct and ran certbot again

<VirtualHost *:80>
        ServerAdmin someone@something.com
        ServerName bmrx.dev
        ServerAlias www.bmrx.dev
        DocumentRoot /var/www/html
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =bmrx.dev [OR]
        RewriteCond %{SERVER_NAME} =www.bmrx.dev
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin someone@something.com
        ServerName bmrx.dev
        DocumentRoot /var/www/html

        SSLCertificateFile /etc/letsencrypt/live/bmrx.dev-0001/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/bmrx.dev-0001/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

This is it.

So now I’m not really sure what is happening here and any help would be greatly appreciated, thank you.

EDIT/ I should note that I am using a CNAME record to point the domain to my server, (static ip is not an option)

these two are related. you can’t have a cname on bmrx.dev but on www.bmrx.dev you can. this is why google listens on bmrx.dev and redirects to www.bmrx.dev (this redirect can be https-> http, bad)

right now there is no webserver listening on your 443 port.

most probably the reason your certificate isn’t working is that you have a cert for bmrx.dev while you need a certificate for www.bmrx.dev (and google needs it for bmrx.dev so it can redirect)

so, add

in the second block too. (you can use www.bmrx.dev as servername in both blocks, removing the alias)

and then run certbot -d www.bmrx.dev

This line helped a lot, my ISP moved portforwarding away from their rented out modem and must now be accessed via their website. It messed up a lot of my forwarding rules and wouldn’t you know I forgot to open that port so thanks for that!

I took your advice, removed the Alias and changed ServerName to www.bmrx.dev. It seems like the port forwarding rule is taking some time to start working,

<VirtualHost *:80>
        ServerAdmin someone@something.com
        ServerName www.bmrx.dev
        DocumentRoot /var/www/html
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =bmrx.dev [OR]
        RewriteCond %{SERVER_NAME} =www.bmrx.dev
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin someone@something.com
        ServerName www.bmrx.dev
        DocumentRoot /var/www/html

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/www.bmrx.dev/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.bmrx.dev/privkey.pem
</VirtualHost>
</IfModule>

Not much of a change but there it is. I then ran the suggested command and checking https://crt.sh/?q=bmrx.dev now shows that it is there.

So hopefully once the port forwarding figures its self out this should be working. If it does start working I will mark your reply as the solution.
Thank you.