Cloned from upstream: https://pagure.io/freeipa/issue/9385

### Issue
ipactl start fails on a replica server

#### Steps to Reproduce
ipactl start

#### Actual behavior
Upgrade fails and rolls back.

#### Expected behavior
ipa starts

#### Version/Release/Distribution
The package freeipa-server is not installed
The package freeipa-client is not installed
ipa-server-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64                                                                                         
ipa-client-4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b.x86_64                                                                                         
389-ds-base-1.4.3.30-6.module+el8.7.0+20830+6d1ef8be.x86_64                                                                                          
The package pki-ca is not installed
krb5-server-1.18.2-22.0.1.el8_7.x86_64  

#### Additional info:
```
ipactl restart
IPA version error: data needs to be upgraded (expected version '4.9.11-5.0.1.module+el8.8.0+21013+a1d8660b', current version '4.9.10-6.0.1.module+el8.7.0+20837+581a7c1e')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: saving configuration
  [2/9]: disabling listeners
  [3/9]: enabling DS global lock
  [4/9]: disabling Schema Compat
  [5/9]: starting directory server
  [6/9]: updating schema
  [7/9]: upgrading server
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod
ifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc
t modifications allowed.
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct mod
ifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direc
t modifications allowed.
  [8/9]: stopping directory server
  [9/9]: restoring configuration
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Remove FILE: prefix from 'dedicated keytab file' in Samba configuration]
[Update 'max smbd processes' in Samba configuration to prevent unlimited SMBLoris attack amplification]
[Change 'server role' from 'CLASSIC PRIMARY DOMAIN CONTROLLER' to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Certmonger certificate renewal configuration already up-to-date
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Migrating profile 'caECServerCertWithSCT'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
RemoteRetrieveError: Failed to authenticate to CA REST API
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
```

#### Workaround:
Commenting out the update in `/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py` line 52.