Where can I find the .htaccess file for a website

OS type and version REQUIRED
Virtualmin version REQUIRED

I have set up my web sites with Letsencrypt SSL cert, however when I go to the website it says it is not secure but when I enter https it shows as secure where is the .htaccess file for each website and or how do I configure one for each of my websites?

.htaccess is not related to Let’s Encrypt.

You’ll need to look to make sure you’re being served the certificate you expect (click on the lock and “more information” or whatever your browser calls it), that it is not expired, etc.

You’ll probably also want to look at the error_log when restarting Apache to see if there are any errors related to certificates.

The .htaccess file is in the root of the directory of the public Web site (typically public_html). You will have to enable view for hidden files (“dotfiles”) to see it in most applications. There may also be .htaccess files in other directories, but for this you want the one in the web root.

There are a number of ways to redirect all requests to https. One is to place the following code in the .htaccess file, usually (but with some rare exceptions) at the top of the file:

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

There are other ways, as well.

If you’re also aliasing other sites to your domain and want them to open on your main domain, you can combine the https redirect with the entries to alias the other domains. For example:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} aliasdomain.com$ [NC,OR]
RewriteCond %{HTTP_HOST} anotheraliasdomain$ [NC,OR]
RewriteCond %{HTTP_HOST} wouldyoubelieveanotheraliasdomain.com$ [NC]
RewriteRule ^ https://yourdomain.com%{REQUEST_URI} [L,R=301,NE]

Back up .htaccess before playing with it. Mistakes can crash your entire site.


how do you enable the view to see the .htaccess file in the public_html directory

you may not have one, create a .htaccess and see if you can see it.

.htaccess continues to have nothing to do with Let’s Encrypt or why your browser shows your site is insecure.

I think they trying to do a force ssl by the code

1 Like

OP appears to have a valid SSL cert, Joe:

when I go to the website it says it is not secure but when I enter https it shows as secure

He / she just wants to force SSL using .htaccess .

1 Like

I believe that’s the default in the Virtualmin file manager. Many other apps with built-in FTP clients default to not seeing dotfiles.

If you create a new one, make sure to hit Enter after the last line. The last line should be a blank line.


I was able to find the .htaccess file in the editor folder and I am wondering if this needs to be placed in the the public_ntml folder. below is thefile

deny everything

<FilesMatch “.*”>

Require all denied

<IfModule !mod_authz_core.c>
Order Allow,Deny
Deny from all

but now allow just certain necessary files:

<FilesMatch “(?i).*.(js|css|jpg|gif|webp|png|html?|xml|svgz?)$”>

Require all granted

<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all

IndexIgnore /

NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):

OPTIONS -Indexes -ExecCGI

Is this a WordPress site by any chance? Also, did you find this (or any .htacess file at all) in public_html ?

In any case, for the specific purpose of redirecting to https, all you have to do is place the following code at the top of the .htaccess file in public_html :

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That’s generic and will work regardless of the domain name.

If there is no existing .htaccess file in public_html , then a new file containing only the above code will work. Don’t forget the blank last line. If there is an existing .htaccess file in public_html , then add the above code to the top of the file, before whatever else may be in there, and save it.

There is no need to modify .htaccess anywhere else to achieve https redirection. You can leave those files alone.


Thank you to all who have responded. Your help has been very helpful. I do have one other question I am trying to setup an Opencart website all works correctly until I add a Letsincript SSL certificate and then things get all weird, any ideas?

I’m not familiar with OpenCart, but a wild guess would be that the site’s URL has to be updated from http to https in some config file.


have you config opencart for ssl?

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.