Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: datastore.ro
My web server is (include version) Apache 2.4:
The operating system my web server runs on is (include version): Ubuntu 18.04
I can login to a root shell on my machine (yes or no, or I don’t know):Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Yes Juergen.
I did not know how to set up the preferred vs non preferred version and my rewrite rule was somehow different than yours.
Is is better to have that CAA entry and limit which CA can create certificates, or just leave it as it is.
In case I wan to limit which CA create certificates, what should I add to my bind server?
This is a web application security issue, not a certificate or HTTPS issue.
It has to do with preventing attacks in which a malicious network generates HTTP links to your site in order to watch users’ browsers transmit the cookie unencrypted (or in which the user types in the HTTP version of your site and transmits the cookie unencrypted).
In this case, you should look at your web application or web application framework and see if there’s a way to set more security headers. If you don’t understand this, you might want to look for a tutorial on web application security or on security headers. I’m sure this topic has been widely discussed around the Internet.