Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/11]: stopping directory server
  [2/11]: saving configuration
  [3/11]: disabling listeners
  [4/11]: enabling DS global lock
  [5/11]: disabling Schema Compat
  [6/11]: starting directory server
  [7/11]: updating schema
  [8/11]: upgrading server
  [9/11]: stopping directory server
  [10/11]: restoring configuration
  [11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
Updated entry cn=replica,cn=dc\=ipa\,dc\=example\,dc\=net,cn=mapping tree,cn=config
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: CalledProcessError(Command ['/bin/systemctl', 'start', 'named-pkcs11.service'] returned non-zero exit status 1: 'Job for named-pkcs11.service failed because the control process exited with error code.\nSee "systemctl status named-pkcs11.service" and "journalctl -xe" for details.\n')
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information

● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
   Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sun 2021-12-19 11:25:49 CET; 7s ago
  Process: 3178 ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE)
  Process: 3174 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disable>

Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: none:105: 'max-cache-size 90%' - setting to 2462MB (out of 2736MB)
Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: configuring command channel from '/etc/rndc.key'
Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: command channel listening on 127.0.0.1#953
Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: configuring command channel from '/etc/rndc.key'
Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: command channel listening on ::1#953
Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: loading configuration: crypto failure
Dec 19 11:25:49 hn-dlp.ipa.example.net named-pkcs11[3179]: exiting (due to fatal error)
Dec 19 11:25:49 hn-dlp.ipa.example.net systemd[1]: named-pkcs11.service: Control process exited, code=exited status=1
Dec 19 11:25:49 hn-dlp.ipa.example.net systemd[1]: named-pkcs11.service: Failed with result 'exit-code'.
Dec 19 11:25:49 hn-dlp.ipa.example.net systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.

$ uname -r
4.18.0-305.17.1.el8_4.x86_64

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
ipa-client-4.9.2-4.module_el8.4.0+846+96522ed7.x86_64
389-ds-base-1.4.3.16-13.module_el8.4.0+804+98b1df0d.x86_64
pki-ca-10.10.5-3.module_el8.4.0+816+beb6e9a3.noarch
krb5-server-1.18.2-8.el8.x86_64