Description of problem:
When installing FreeIPA on a system where UMASK is non-default removing rwx access to "other", one can not log in to the IPA server web portal due to incorrect permissions on IPA-installed certificates and other content.

Version-Release number of selected component (if applicable):
4.6.90.pre1-6.1.fc28

How reproducible:
permanent issue, if UMASK was incorrect during installation

Steps to Reproduce:
1. change UMASK to 0007 ("umask 0007")
2. install IPA normally (I used a script with the command line "/usr/sbin/ipa-server-install --mkhomedir --no-ntp --idstart=20000 --idmax=39999 --no-ui-redirect")
3. open a browser and navigate to https://<hostname>/ipa/ui and log in.

Actual results:
The login fails due to an "unknown reason".  Apache access_log provides an HTTP 500 error.  error_log states that one of the files cannot be accessed (e.g. /var/lib/ipa-client/pki/ca-bundle.pem).  Changing permissions will yield the next file on the next attempt.

Expected results:
When running an automation routine like ipa-server-install, it shall take care of setting file permissions itself and shall not rely on a system's UMASK to do it.

Additional info:
Regression:
Installing the shipped version of FreeIPA on a system with the above UMASK worked on Fedora 26, but stopped working on Fedora 27 (however, I did not investigate the reasons back then, but remained on F26 instead).