Description of problem: When installing FreeIPA on a system where UMASK is non-default removing rwx access to "other", one can not log in to the IPA server web portal due to incorrect permissions on IPA-installed certificates and other content. Version-Release number of selected component (if applicable): 4.6.90.pre1-6.1.fc28 How reproducible: permanent issue, if UMASK was incorrect during installation Steps to Reproduce: 1. change UMASK to 0007 ("umask 0007") 2. install IPA normally (I used a script with the command line "/usr/sbin/ipa-server-install --mkhomedir --no-ntp --idstart=20000 --idmax=39999 --no-ui-redirect") 3. open a browser and navigate to https://<hostname>/ipa/ui and log in. Actual results: The login fails due to an "unknown reason". Apache access_log provides an HTTP 500 error. error_log states that one of the files cannot be accessed (e.g. /var/lib/ipa-client/pki/ca-bundle.pem). Changing permissions will yield the next file on the next attempt. Expected results: When running an automation routine like ipa-server-install, it shall take care of setting file permissions itself and shall not rely on a system's UMASK to do it. Additional info: Regression: Installing the shipped version of FreeIPA on a system with the above UMASK worked on Fedora 26, but stopped working on Fedora 27 (however, I did not investigate the reasons back then, but remained on F26 instead).
*** This bug has been marked as a duplicate of bug 1485217 ***