Sometimes the 'admin' account can get locked with FreeIPA which will immediately shutdown the administration site with '500: Internal Server Error' and other symptoms. You will know a lockout is in effect if you run
kinit admin on the IPA host and get
kinit: Clients credentials have been revoked while getting initial credentials
You can reset the account by issuing an ldiff on the nsaccountlock property for admin.
ldapmodify -h localhost -D "cn=Directory Manager" -ZZ -x -W
No prompt will be shown unless the password is wrong, enter the LDIF query:
dn: uid=admin,cn=users,cn=accounts,dc=domain,dc=name changetype: modify replace: nsaccountlock nsaccountlock: false
Be sure to change dc=domain,dc=name to your domain,tld.
If all goes well, you see output informing changes were made:
modifying entry "uid=admin,cn=users,cn=accounts,dc=domain,dc=name"
Press Ctrl+C to exit ldapmodify.
Investigate why this happened
This can be your fault, your keyboards fault, or a compromised internal network with brute scans against your IPA instance. Tools like tcpdump and others can help isolate this as well as some of the kerberos logs within FreeIPA.
Not understanding why this is happening can lead to additional lockouts or security risk.