liquibase: Liquibase website is unavailable

OK, so now everything should be back up and running. Here’s what happened:

• liquibase.org is hosted on WPEngine on their legacy network.
• Yesterday (6/6) there was an outage with our site
• The solution from WPEngine was to update our DNS to use their Advanced Network Offering
• This brought the site back online, but broke HTTP redirects for XSDs and enabled CloudFlare security which blocks Java agents < version 10.
• Today we reverted the DNS change back to the legacy network. I’ve tested access to the XSDs via browser, curl, and liqubase-maven-plugin and all seem to be working.

Thank you all for being patient with us. Apologies for the outage. We are looking at ways to mitigate this type of thing in the future.

The liquibase.org site is back up and the XSDs should be available. Could you let us know if things are working for you again?

I can retrieve XSD files with the browser, but builds in my CI pipeline using the liquibase-maven-plugin are failing on a year old changeset - the error still occurs:

Failed to read schema document 'http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.: Server returned HTTP response code: 403 for URL: http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd -> [Help 1]

Hi All, can you please test your workflows again and let me know if they are working?

Found on another forum and was able to reproduce the issue in Postman.

1. Create a GET request to https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd and execute. We content of XSD is returned and status is 200.
2. Add User-Agent: Java/1.8.0_251 request header. Now the response is 403 and I can see an error message:

Error 1010
Ray ID: 7d36b3e76dca9555 • 2023-06-07 06:05:19 UTC
Access denied
What happened?
The owner of this website (www.liquibase.org) has banned your access based on your browser's signature (7d36b3e76dca9555-ua21).

Hello, as indicated by @ingokuba. If you change :

http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd

by

https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd

it works for version 4.6.2 in a springboot app.

Thanks!!

It looks like the website is now up and accessible, but there seems to now be a redirect in place from HTTP to HTTPS, which breaks older versions of Liquibase. Can the redirect be reverted? We have old versions in the wild that we can’t (easily) update, and they’re now broken.

liquibase.exception.ChangeLogParseException: liquibase.exception.SetupException: Error parsing line 2 column 35 of liquibase-boomi-bus.xml: s4s-elt-character: Non-whitespace characters are not allowed in schema elements other than 'xs:appinfo' and 'xs:documentation'. Saw '301 Moved Permanently'.
        at liquibase.parser.core.xml.AbstractChangeLogParser.parse(AbstractChangeLogParser.java:25)
        at liquibase.Liquibase.getDatabaseChangeLog(Liquibase.java:216)
        at liquibase.Liquibase.update(Liquibase.java:189)
        at liquibase.Liquibase.update(Liquibase.java:178)
        at liquibase.integration.commandline.Main.doMigration(Main.java:1639)
        at liquibase.integration.commandline.Main.run(Main.java:303)
        at liquibase.integration.commandline.Main.main(Main.java:159)

The liquibase.org site is back up and the XSDs should be available. Could you let us know if things are working for you again?

Still getting an error for http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd because of the 301 return code - should switch to https it seems 🥲

Thanks all. Great find. Working with WPEngine support right now and will post an update shortly.

@kjthorpe18 If you are on 3.4.1, the -latest.xsd won’t work for you. The overall logic liquibase should be doing is:

1. If the referenced xsd can be found bundled with the liquibase build, use that
2. If not, try to download it (this is normally not what you want anyway, and later versions of liquibase disable this from even being tried by default)

Step 2 is having a problem on our server we’re looking into, but you should be able to stop it at step 1 by only referencing xsd filese that are bundled in your version of Liquibase. So for 3.4.1, that will be dbchangelog-3.4.xsd or earlier. The dbchangelog-latest.xsd file was only introduced around 4.12, so if you are on any versions before 4.12 then requesting dbchangelog-latest.xsd will still be trying to go out to the network.

If you change your reference to http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.4.xsd does it work?

Also: if you are have a reference to a liquibase-pro xsd file with 3.4.1 you’ll also be hitting the “fall back to the network” step, since there was no support for any pro functionality in 3.4.1. Removing that xsd reference will help too.

@jnewton03 You can use this https://github.com/ojas-krishnaprasad/Liquibase, mvn liquibase:update

Thank you @dvt-blip-ui 🙏

Only updating the link to the changelog xsd file location seems to be the solution (for me):

<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog 
                      https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">

(line breaks for readability)

@kevin-atx We are getting 403 errors either with http / https as well Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.4.xsd at sun.net.www.protocol.http.HttpURLConnection.getInputStream0 (HttpURLConnection.java:1902) at sun.net.www.protocol.http.HttpURLConnection.getInputStream (HttpURLConnection.java:1500) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream (HttpsURLConnectionImpl.java:268) at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity (XMLEntityManager.java:648) at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion (XMLVersionDetector.java:148) at com.sun.org.apache.xerces.internal.impl.xs.opti.SchemaParsingConfig.parse (SchemaParsingConfig.java:582)

We’re looking into the http to https redirect with the goal of removing the redirect. I’ll share an update with you when I hear back.

Fun fact: Even with HTTPS enabled I’m getting an error - it sounds like the XSD itself has changed? 🤔

liquibase.exception.ChangeLogParseException: Error parsing line 3 column 137 of META-INF/changelog.xml: cvc-elt.1.a: Cannot find the declaration of element 'databaseChangeLog'
at org.liquibase//liquibase.parser.core.xml.XMLChangeLogSAXParser.parseToNode(XMLChangeLogSAXParser.java:113)
	at org.liquibase//liquibase.parser.core.xml.AbstractChangeLogParser.parse(AbstractChangeLogParser.java:15)
	at org.liquibase//liquibase.Liquibase.getDatabaseChangeLog(Liquibase.java:369)
	at org.liquibase//liquibase.Liquibase$16.run(Liquibase.java:1982)
	at org.liquibase//liquibase.Scope.lambda$child$0(Scope.java:180)
	at org.liquibase//liquibase.Scope.child(Scope.java:189)
	at org.liquibase//liquibase.Scope.child(Scope.java:179)
	at org.liquibase//liquibase.Scope.child(Scope.java:158)
	at org.liquibase//liquibase.Liquibase.runInScope(Liquibase.java:2405)
	at org.liquibase//liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1978)

I’ll investigate further - maybe my fault

edit: ℹ️ Using liquibase-core 4.8.0

Hi, have you added https only to this link? : https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd

I say this because I got your error if I add https to the xmlns properties urls of the databasechangelog element.

Only this url : https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd, others with http its okey for me.

regards!

Fun fact: Even with HTTPS enabled I’m getting an error - it sounds like the XSD itself has changed? 🤔

liquibase.exception.ChangeLogParseException: Error parsing line 3 column 137 of META-INF/changelog.xml: cvc-elt.1.a: Cannot find the declaration of element 'databaseChangeLog'
at org.liquibase//liquibase.parser.core.xml.XMLChangeLogSAXParser.parseToNode(XMLChangeLogSAXParser.java:113)
	at org.liquibase//liquibase.parser.core.xml.AbstractChangeLogParser.parse(AbstractChangeLogParser.java:15)
	at org.liquibase//liquibase.Liquibase.getDatabaseChangeLog(Liquibase.java:369)
	at org.liquibase//liquibase.Liquibase$16.run(Liquibase.java:1982)
	at org.liquibase//liquibase.Scope.lambda$child$0(Scope.java:180)
	at org.liquibase//liquibase.Scope.child(Scope.java:189)
	at org.liquibase//liquibase.Scope.child(Scope.java:179)
	at org.liquibase//liquibase.Scope.child(Scope.java:158)
	at org.liquibase//liquibase.Liquibase.runInScope(Liquibase.java:2405)
	at org.liquibase//liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1978)

I’ll investigate further - maybe my fault

edit: ℹ️ Using liquibase-core 4.8.0

Doesn’t this break keycloak for instance which has http within the final peice of the schemaLocation? https://github.com/keycloak/keycloak/blob/989ffe2d228374847565c34f6ffd14afcfb31337/model/jpa/src/main/resources/META-INF/jpa-changelog-1.0.0.Final-db2.xml#L19

EDIT: for reference, this was in response to a now removed comment around http should be replaced with https

@ingokuba appreciate assistance here as whilst i can technically look to fix this for my own applications this doesn’t resolve it for third party dependencies such as keycloak

You can upgrade your dependency version (i have upgraded upto 4.16.0). it help me. There are schemas in artifact

Hello,

We are aware of the issue and working to resolve it as soon as possible. We will come back with an ETA.

Please contact support if you are a Liquibase customer. Otherwise, please watch this ticket as we will provide further updates here.

my production is down now thx a lot

For us this worked:

<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog https://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">

I just heard from the team that the automatic XSD redirect from http to https has been removed. Caching might still be an issue for people (clearing the cache or time should address that). Please let me know if this change helps the situation for those that still have trouble accessing the XSDs.

I feel as if something has been changed in the backend around nginx as it is now doing permanent redirects when it wasn’t before. Surely a server snippet change has also been made in addition to the certificate being swapped out?

Can’t we remove the redirect entirely or at least have a seperate server snippet for the relevant locations which house the schemas?

The liquibase.org site is back up and the XSDs should be available. Could you let us know if things are working for you again?

I can curl the XSD from the command line but our web application is returning a 403 error when attempting to fetch the XSD. I believe this might be due to the cert change and our previously signed cert in the java keystore not aligning with the new certificate issued to the site.

Hey there, I just tried to call the hotline, unfortunately the agent was not able to hear me and hang up. So I don’t know whether there will be any solution soon. Please keep us in touch.

Best Regards

Workaround:

1. Download schema from https://github.com/liquibase/liquibase/tree/master/liquibase-standard/src/main/resources/www.liquibase.org/xml/ns/dbchangelog
2. Put the schema in the changelog folder
3. Change xsi:schemaLocation=“http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd” to xsi:schemaLocation=“http://www.liquibase.org/xml/ns/dbchangelog *filepath”

panic do fix

A workaround that worked for me is to remove s from https. Then the app started somehow.