diff --git a/warden3/contrib/warden_ra/warden_ra.py b/warden3/contrib/warden_ra/warden_ra.py
index f9e26c9828a0bdbfb8b83703e28bb4fc040ba9bb..b7400c355d8546b6846a89e2c7946e7f5e55b26b 100755
--- a/warden3/contrib/warden_ra/warden_ra.py
+++ b/warden3/contrib/warden_ra/warden_ra.py
@@ -84,14 +84,20 @@ class OpenSSLRegistry(object):
         self.log = log
         self.subject_dn_template = subject_dn_template
         self.openssl_sign = openssl_sign
+        os.umask(0o0002)    # read privilege for usual apache group
 
     def get_clients(self):
         return [self.get_client(c) for c in os.listdir(self.client_dir) if pth.isdir(pth.join(self.client_dir, c))]
 
     def get_client(self, name):
         config = ConfigParser.RawConfigParser()
-        if not config.read(pth.join(self.client_dir, name, "state")):
-            return None
+        try:
+            with open(pth.join(self.client_dir, name, "state")) as cf:
+                config.readfp(cf)
+        except IOError as e:
+            if e.errno == errno.ENOENT:
+                return None
+            raise
         datum = dict(config.items("Client"))
         return Client(name, admins=datum["admins"].split(","), status=datum["status"], pwd=datum.get("password"))
 
@@ -116,6 +122,7 @@ class OpenSSLRegistry(object):
                 raise
         with tempfile.NamedTemporaryFile(dir=client_path, delete=False) as cf:
             config.write(cf)
+        os.chmod(cf.name, 0o660)    # read privilege for usual apache group
         os.rename(cf.name, pth.join(client_path, "state")) # atomic + rewrite, so no need for locking
 
     def get_certs(self, client):