Description of problem:
When installing FreeIPA on a system where UMASK is non-default removing rwx access to "other", one can not log in to the IPA server web portal due to incorrect permissions on IPA-installed certificates and other content.
Version-Release number of selected component (if applicable):
permanent issue, if UMASK was incorrect during installation
Steps to Reproduce:
1. change UMASK to 0007 ("umask 0007")
2. install IPA normally (I used a script with the command line "/usr/sbin/ipa-server-install --mkhomedir --no-ntp --idstart=20000 --idmax=39999 --no-ui-redirect")
3. open a browser and navigate to https://<hostname>/ipa/ui and log in.
The login fails due to an "unknown reason". Apache access_log provides an HTTP 500 error. error_log states that one of the files cannot be accessed (e.g. /var/lib/ipa-client/pki/ca-bundle.pem). Changing permissions will yield the next file on the next attempt.
When running an automation routine like ipa-server-install, it shall take care of setting file permissions itself and shall not rely on a system's UMASK to do it.
Installing the shipped version of FreeIPA on a system with the above UMASK worked on Fedora 26, but stopped working on Fedora 27 (however, I did not investigate the reasons back then, but remained on F26 instead).
*** This bug has been marked as a duplicate of bug 1485217 ***