• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SSL certificate signed

Scheduled Pinned Locked Moved webGUI
35 Posts 8 Posters 26.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JohnnyBeGood
    last edited by Aug 28, 2015, 4:11 AM

    Hi all,

    It never bother me until new version of Kaspersky IS came out and now I get bellow warning and requires prompts every time.
    This is what I found online http://www.itnotes.eu/?p=1570 which explains how to create free certificates.
    I went ahead and create one. At the end I have .cer file but on pfSense certification page its asking me about Certificate data and Private key data. When I paste in my public key I get error:

    The following input errors were detected:

    This certificate does not appear to be valid.
    The field Key data is required.

    What am I doing wrong?
    I'm just trying to get rid of this SSL warning prompt.

    Thanks
    Capture.JPG
    Capture.JPG_thumb
    Untitled.png
    Untitled.png_thumb
    Untitled2.png
    Untitled2.png_thumb

    I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Aug 28, 2015, 7:30 AM

      A certificate on a server requires a certificate and a private key. And, usually, and intermediate CA certificate.

      Both certificate and private key should be entered in the import certificate page.

      If you need an intermediate CA certificate, just import it as a CA - you will not have the private key so leave it blank.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • J
        JohnnyBeGood
        last edited by Aug 28, 2015, 2:16 PM

        @Derelict:

        A certificate on a server requires a certificate and a private key. And, usually, and intermediate CA certificate.

        Both certificate and private key should be entered in the import certificate page.

        If you need an intermediate CA certificate, just import it as a CA - you will not have the private key so leave it blank.

        Derelict,

        Thanks for the reply!

        So I got public key from their .cert file and pasted it as "Certificate data" but its giving me error that "This certificate does not appear to be valid."
        I guess what I don't understand is why on pfSense there's nowhere to upload that .cert file?

        pfsense_cert_page.PNG
        pfsense_cert_page.PNG_thumb

        I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Aug 28, 2015, 3:22 PM

          Get the certificate in PEM format.  It will look something like this:

          –---BEGIN CERTIFICATE-----
          MIIFTjCCBDagAwIBAgIQG1r/78gt1gbpG+qPmcKZxzANBgkqhkiG9w0BAQsFADCB
          kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
          A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
          BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
          QTAeFw0xNTA4MTcwMDAwMDBaFw0xODA4MjIyMzU5NTlaMFoxITAfBgNVBAsTGERv
          bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls
          ZGNhcmQxFjAUBgNVBAMMDSoucGZzZW5zZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
          A4IBDwAwggEKAoIBAQDIzOkrFy7AHTUWqJdIF2IvDtTM8X3RTb8O52QG8sAokDCv
          u+ad3wgPCboJhUvLwDB9bUZ+/JIOV2tMNzcJ2h6IPRRfh/2RMV+aI3cdWgKxmB5d
          sZUZp22Tviwol145Ty5lEVkRFLVn6y5MLgj2Pju4q5hEUPBjoiMpufeyHM/NnWf0
          IWtuDFB+VlaApXnnpxhMejChdBQeAdUV6QZcHvQiVXn+EnQaj4l+kwwxaS+GwLA6
          TVC988yood/FG3yMu7RLgS6a9CeJ8f4SpGifg0JouTU5iR02MQwLyUhESQcl9yQ/
          ANERGLM7+giyJvAD9jpj/ErnZINgBmu+RpzK4NDbAgMBAAGjggHXMIIB0zAfBgNV
          HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQU3bK8mIZpBTqH
          JyRIxOK5ArpV220wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
          BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC
          AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw
          CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu
          Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww
          gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j
          YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
          dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCUGA1UdEQQe
          MByCDSoucGZzZW5zZS5vcmeCC3Bmc2Vuc2Uub3JnMA0GCSqGSIb3DQEBCwUAA4IB
          AQAhtYwrG8qpDDN3R+BkuRfULnzy3DB7MbzSukmtLo3QNrimOfuWepUKqa6Vabm6
          JrIGle0ehemGp3S6jWAS54FZnViobgaiQ4qYqXlNaCT73qHNSIGDszQBov6oHNo1
          aa+s+7e4hN5+fXnX9uscZ+afFfKHS8j4kg21pNEg5r3lIZg4flc5DtDhxeSor/0b
          9jx8D4yus/py2xnM9jy8z1C8EXpQPR+5PvMTpfEVJTgX4y+6P+9t5TEc+hgioGZQ
          GfFDnI0On9A0BYfpjnRKs8o2Y+7OEmSoAA3/fe8vOBaTLpGn5HGZJOj8QPmgud49
          oML3RbMw4y2L6ONLMpNFupVa
          -----END CERTIFICATE-----

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            Gertjan
            last edited by Aug 28, 2015, 3:48 PM

            Hi,

            Use this as a guide line : https://forum.pfsense.org/index.php?topic=63791.0 - it mentions an example with a certificate from StartSSL.

            I always used a self-generated certificate from pfSense - but already used a real -signed- certificate from StartSSL for my Portal page.

            I saw you message, so I decide to generate a valid certificate from StartSSL for my Web GUI pfSense access.

            My domain name, which also really exist on the net, is brit-hotel-fumel.net
            My host name (pfSense) is : "pfsense"

            First image :
            Add the Intermediate and Root certificate that you must obtain from StartSSL. (because I was already using one certificate from them for my portal interface, they ware already there for me).

            Next image:
            You obtain first from StartSSL a file called "ssl.key" - Keep this file, do not use it directly. Use the command openssl ….. or the tools from StartSSL to decrypt it (using the password you gave to StartSSL to generate it).

            The ssl.crt file goes into the first 'block' (Certificate data).
            Your ssl.key that you decrypted goes into the second block (Private key data).
            Give it also a name, like I did : "pfsense GUI Acces"

            You can see in the second image :
            The 'default' auto generated cert from pfSEnse which isn't used now anymore, so I could delete it.
            A second cert record for my portal interface : portal.brit-hotel-fumel.net
            A third cert record for my web GUI acces (pfsense.brit-hotel-fumel.net) which is, as you can see, generated today : 28 august, 2015 ;)

            After that, I was already using https acces, but I switch from the auto generated cert to the new StartSSL cert, and ..... looooo, no more warnings from my browser :)

            CAs.png
            CAs.png_thumb
            Certificates.PNG
            Certificates.PNG_thumb

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • J
              JohnnyBeGood
              last edited by Sep 8, 2015, 2:06 AM

              @Gertjan:

              Hi,

              Use this as a guide line : https://forum.pfsense.org/index.php?topic=63791.0 - it mentions an example with a certificate from StartSSL.

              I always used a self-generated certificate from pfSense - but already used a real -signed- certificate from StartSSL for my Portal page.

              I saw you message, so I decide to generate a valid certificate from StartSSL for my Web GUI pfSense access.

              My domain name, which also really exist on the net, is brit-hotel-fumel.net
              My host name (pfSense) is : "pfsense"

              First image :
              Add the Intermediate and Root certificate that you must obtain from StartSSL. (because I was already using one certificate from them for my portal interface, they ware already there for me).

              Next image:
              You obtain first from StartSSL a file called "ssl.key" - Keep this file, do not use it directly. Use the command openssl ….. or the tools from StartSSL to decrypt it (using the password you gave to StartSSL to generate it).

              The ssl.crt file goes into the first 'block' (Certificate data).
              Your ssl.key that you decrypted goes into the second block (Private key data).
              Give it also a name, like I did : "pfsense GUI Acces"

              You can see in the second image :
              The 'default' auto generated cert from pfSEnse which isn't used now anymore, so I could delete it.
              A second cert record for my portal interface : portal.brit-hotel-fumel.net
              A third cert record for my web GUI acces (pfsense.brit-hotel-fumel.net) which is, as you can see, generated today : 28 august, 2015 ;)

              After that, I was already using https acces, but I switch from the auto generated cert to the new StartSSL cert, and ..... looooo, no more warnings from my browser :)

              Thanks for the replies guys!

              I also have pfsense.mydomain.net and what I don't understand is how to retrieve Private key data.
              As suggested StartSSL website once certificate was generated I followed their instructions and backed up using Chrome https://www.startssl.com/?app=25#4 and I have certificate.pfx file.

              How did you get ssl.crt and ss.key files?

              Tool box on StartSSL did not help me.

              ![startssl tool box.JPG](/public/imported_attachments/1/startssl tool box.JPG)
              ![startssl tool box.JPG_thumb](/public/imported_attachments/1/startssl tool box.JPG_thumb)

              I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Sep 8, 2015, 2:37 AM Sep 8, 2015, 2:20 AM

                You can get the certificate using the "Retrieve Certificate" link there in the Toolbox on the left.

                Where the key is depends on how you generated the CSR.  Or did you let StartSSL create it?

                I've never done it that way.  I always generate CSRs locally and upload them (Keeping the private key with me the whole time).

                It generates an encrypted private key and gives you this command to decrypt it:

                openssl rsa -in ssl.key -out ssl.key

                –---BEGIN RSA PRIVATE KEY-----
                Proc-Type: 4,ENCRYPTED
                DEK-Info: AES-256-CBC,...
                -----END RSA PRIVATE KEY-----

                Worked for me.  I ended up with ssl.key containing the unencrypted rsa key in PEM format.

                That, coupled with the certificate you can get from "Retrieve Certificate" plus the intermediate certificate from "StartCom CA Certificates" (Both in the Toolbox) should be all you need. Their decryption tool worked for me too.

                ETA - It's easier just to generate a CSR using pfSense.  You can just put BS in the attributes (I just used Temp for everything except email.  There I used a@b.c.  CAs toss all that stuff anyway, replacing it with what they have verified.  All the CSR really needs to contain is the private key fingerprint.)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • J
                  JohnnyBeGood
                  last edited by Sep 8, 2015, 3:12 AM

                  @Derelict:

                  You can get the certificate using the "Retrieve Certificate" link there in the Toolbox on the left.

                  Where the key is depends on how you generated the CSR.  Or did you let StartSSL create it?

                  I've never done it that way.  I always generate CSRs locally and upload them (Keeping the private key with me the whole time).

                  It generates an encrypted private key and gives you this command to decrypt it:

                  openssl rsa -in ssl.key -out ssl.key

                  –---BEGIN RSA PRIVATE KEY-----
                  Proc-Type: 4,ENCRYPTED
                  DEK-Info: AES-256-CBC,...
                  -----END RSA PRIVATE KEY-----

                  Worked for me.  I ended up with ssl.key containing the unencrypted rsa key in PEM format.

                  That, coupled with the certificate you can get from "Retrieve Certificate" plus the intermediate certificate from "StartCom CA Certificates" (Both in the Toolbox) should be all you need. Their decryption tool worked for me too.

                  ETA - It's easier just to generate a CSR using pfSense.  You can just put BS in the attributes (I just used Temp for everything except email.  There I used a@b.c.  CAs toss all that stuff anyway, replacing it with what they have verified.  All the CSR really needs to contain is the private key fingerprint.)

                  When I click on "Retrieve Certificate" link under certificate I don't get anything (see attached screenshot).

                  Entire certificate was done using StartSSL and Chrome was used to back it up so nothing was done locally (command line).

                  certificate.JPG
                  certificate.JPG_thumb

                  I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Sep 8, 2015, 3:37 AM

                    Then it hasn't been issued for some reason.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • J
                      JohnnyBeGood
                      last edited by Sep 8, 2015, 3:40 AM

                      @Derelict:

                      Then it hasn't been issued for some reason.

                      Thanks, I will email them.

                      I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                      1 Reply Last reply Reply Quote 0
                      • G
                        Gertjan
                        last edited by Sep 8, 2015, 5:59 AM

                        If you can't retrieve a certificate under "Retrieve Certificate" then nothing has been generated yet.
                        First: goto the "Validations Wizard" and do a "Domaine name validation".
                        Then: goto "Certificates Wizard", select "Web server SSL/TLS Certificate" and run it down.

                        Normally, I let them generate the files.
                        Because I have a "Debian Jessie" server, I execute the "openssl rsa -in ssl.key -out ssl.key" myself with a detail:
                        I use this:

                        openssl rsa -in ssl.key -out ssl-decrypted.key
                        

                        this way I keep the original encrypted key and the decrypted key. You'll be needing the 'ssl-decypted.key' file afterwards.

                        I'll join an image to motivate you  ;)

                        startssl-pfsense.png
                        startssl-pfsense.png_thumb

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • J
                          JohnnyBeGood
                          last edited by Sep 9, 2015, 5:31 AM

                          @Gertjan:

                          If you can't retrieve a certificate under "Retrieve Certificate" then nothing has been generated yet.
                          First: goto the "Validations Wizard" and do a "Domaine name validation".
                          Then: goto "Certificates Wizard", select "Web server SSL/TLS Certificate" and run it down.

                          Normally, I let them generate the files.
                          Because I have a "Debian Jessie" server, I execute the "openssl rsa -in ssl.key -out ssl.key" myself with a detail:
                          I use this:

                          openssl rsa -in ssl.key -out ssl-decrypted.key
                          

                          this way I keep the original encrypted key and the decrypted key. You'll be needing the 'ssl-decypted.key' file afterwards.

                          I'll join an image to motivate you  ;)

                          Nice motivation :)

                          I was able to get "Retrieve Certificate" working and the reason was because I never finished the process :(
                          Now after I have both enter and without any errors like before I still get invalid, how did you "force" your browser to use new certificate?

                          still.JPG

                          I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                          1 Reply Last reply Reply Quote 0
                          • D
                            Derelict LAYER 8 Netgate
                            last edited by Sep 9, 2015, 5:36 AM

                            Did you install the Intermediate as a CA?

                            Did you install the StartSSL certificate?

                            Does pfSense recognize that the Cert is signed by the CA?

                            Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

                            Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • J
                              JohnnyBeGood
                              last edited by Sep 9, 2015, 5:52 AM

                              @Derelict:

                              Did you install the Intermediate as a CA?

                              Did you install the StartSSL certificate?

                              Does pfSense recognize that the Cert is signed by the CA?

                              Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

                              Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

                              :(

                              So I went to check if I was using new certificate under System > Advanced > Admin Access and when I change from self generated to the one I created now I stuck and cannot login into pfsense interface. In chrome I get:

                              **This webpage is not available

                              ERR_CONNECTION_TIMED_OUT**

                              Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

                              I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                              1 Reply Last reply Reply Quote 0
                              • D
                                Derelict LAYER 8 Netgate
                                last edited by Sep 9, 2015, 6:13 AM

                                Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

                                Connect to http://192.168.1.1/ and see what happens.

                                Did you change the listening port?  You're trying https:// and https://host:81 there.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • G
                                  Gertjan
                                  last edited by Sep 9, 2015, 7:11 AM

                                  @JohnnyBeGood:

                                  ….. now I stuck and cannot login into pfsense interface. In chrome I get:

                                  Been there - seen that.

                                  My 'solution' : SSH intp pfSense. Option 8: shell.

                                  Type
                                  viconfig

                                  Find
                                  <protocol>https</protocol>
                                  Change it for
                                  <protocol>http</protocol>
                                  Save.
                                  Reboot.

                                  Warning : editing the config.xml is "not done" (thats why it works ;)).
                                  You are using editor vi - its somewhat special.

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JohnnyBeGood
                                    last edited by Sep 10, 2015, 2:41 AM

                                    @Gertjan:

                                    @JohnnyBeGood:

                                    ….. now I stuck and cannot login into pfsense interface. In chrome I get:

                                    Been there - seen that.

                                    My 'solution' : SSH intp pfSense. Option 8: shell.

                                    Type
                                    viconfig

                                    Find
                                    <protocol>https</protocol>
                                    Change it for
                                    <protocol>http</protocol>
                                    Save.
                                    Reboot.

                                    Warning : editing the config.xml is "not done" (thats why it works ;)).
                                    You are using editor vi - its somewhat special.

                                    I'm glad I'm not the only one with this issue  ;)

                                    So using Putty SSH I tried to connect to 192.168.1.1 but it keeps timing out. I'm assuming that SSH deamon is not enabled.
                                    My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?

                                    I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      JohnnyBeGood
                                      last edited by Sep 10, 2015, 2:44 AM

                                      @Derelict:

                                      Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

                                      Connect to http://192.168.1.1/ and see what happens.

                                      Did you change the listening port?  You're trying https:// and https://host:81 there.

                                      I did try connecting to http://192.168.1.1/ but it does not connect.
                                      Neither port 80 or 81 worked.

                                      I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        Gertjan
                                        last edited by Sep 10, 2015, 5:43 AM

                                        @JohnnyBeGood:

                                        I'm assuming that SSH deamon is not enabled.

                                        Possible.
                                        But not for me.
                                        A remote system without remote SSH enabled: unthinkable.
                                        SSH is not some kind of 'emergency back door' : its the main maintenance port of any system. (GUI is just the next best thing)
                                        For me, that is.  I guess its quiet usual for people born before 1970  ;)

                                        @JohnnyBeGood:

                                        My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?

                                        Of course.

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          JohnnyBeGood
                                          last edited by Sep 18, 2015, 2:57 AM

                                          @Gertjan:

                                          @JohnnyBeGood:

                                          ….. now I stuck and cannot login into pfsense interface. In chrome I get:

                                          Been there - seen that.

                                          My 'solution' : SSH intp pfSense. Option 8: shell.

                                          Type
                                          viconfig

                                          Find
                                          <protocol>https</protocol>
                                          Change it for
                                          <protocol>http</protocol>
                                          Save.
                                          Reboot.

                                          Warning : editing the config.xml is "not done" (thats why it works ;)).
                                          You are using editor vi - its somewhat special.

                                          Thanks for this, you're a life saver! I thought I need to re-install it  :'(

                                          I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received