Permission denied when generating Wazuh self-signed certificates

[fannyhasbi]

I am having issue when trying to generate the Wazuh self-signed certificate using the docker-compose -f generate-indexer-certs.yml run --rm generator

here is the output

The tool to create the certificates exists in the in Packages bucket
23/10/2025 04:03:06 INFO: Generating the root certificate.
23/10/2025 04:03:06 INFO: Generating Admin certificates.
23/10/2025 04:03:06 INFO: Admin certificates created.
23/10/2025 04:03:06 INFO: Generating Wazuh indexer certificates.
23/10/2025 04:03:07 INFO: Wazuh indexer certificates created.
23/10/2025 04:03:07 INFO: Generating Filebeat certificates.
23/10/2025 04:03:07 INFO: Wazuh Filebeat certificates created.
23/10/2025 04:03:07 INFO: Generating Wazuh dashboard certificates.
23/10/2025 04:03:07 INFO: Wazuh dashboard certificates created.
Moving created certificates to the destination directory
Changing certificate permissions
Setting UID indexer and dashboard
Setting UID for wazuh manager and worker
cp: cannot create regular file '/certificates/root-ca-manager.pem': Permission denied
cp: cannot create regular file '/certificates/root-ca-manager.key': Permission denied
chown: cannot access '/certificates/root-ca-manager.pem': No such file or directory
chown: cannot access '/certificates/root-ca-manager.key': No such file or directory

I see there is no Mac/Apple OS is listed in the System requirement in this official documentation: https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html

Does this problem arise because I am using macos when I run the command? I am running the command on MacBook Pro M4.

Container runtime: Colima (https://github.com/abiosoft/colima)
Docker compose: using docker-compose via brew (https://formulae.brew.sh/formula/docker-compose)

Edit:
I also try to copy manually on the local volume using this command:

sudo cp root-ca.pem root-ca-manager.pem
sudo cp root-ca.key root-ca-manager.key

and then run the docker compose again, but it's giving more issues

The tool to create the certificates exists in the in Packages bucket
23/10/2025 04:13:33 INFO: Generating the root certificate.
23/10/2025 04:13:33 INFO: Generating Admin certificates.
23/10/2025 04:13:33 INFO: Admin certificates created.
23/10/2025 04:13:33 INFO: Generating Wazuh indexer certificates.
23/10/2025 04:13:34 INFO: Wazuh indexer certificates created.
23/10/2025 04:13:34 INFO: Generating Filebeat certificates.
23/10/2025 04:13:34 INFO: Wazuh Filebeat certificates created.
23/10/2025 04:13:34 INFO: Generating Wazuh dashboard certificates.
23/10/2025 04:13:34 INFO: Wazuh dashboard certificates created.
Moving created certificates to the destination directory
cp: cannot create regular file '/certificates/root-ca.key': Permission denied
cp: cannot create regular file '/certificates/root-ca.pem': Permission denied
cp: cannot create regular file '/certificates/wazuh.dashboard-key.pem': Permission denied
cp: cannot create regular file '/certificates/wazuh.dashboard.pem': Permission denied
cp: cannot create regular file '/certificates/wazuh.indexer-key.pem': Permission denied
cp: cannot create regular file '/certificates/wazuh.indexer.pem': Permission denied
cp: cannot create regular file '/certificates/wazuh.manager-key.pem': Permission denied
cp: cannot create regular file '/certificates/wazuh.manager.pem': Permission denied
Changing certificate permissions
chmod: changing permissions of '/certificates/root-ca-manager.key': No such file or directory
chmod: changing permissions of '/certificates/root-ca-manager.pem': No such file or directory
chmod: changing permissions of '/certificates/root-ca-manager.key': No such file or directory
chmod: changing permissions of '/certificates/root-ca-manager.pem': No such file or directory
Setting UID indexer and dashboard
chown: changing ownership of '/certificates/root-ca-manager.key': No such file or directory
chown: changing ownership of '/certificates/root-ca-manager.pem': No such file or directory
Setting UID for wazuh manager and worker
cp: cannot create regular file '/certificates/root-ca-manager.pem': Permission denied
cp: cannot create regular file '/certificates/root-ca-manager.key': Permission denied
chown: cannot access '/certificates/root-ca-manager.pem': Permission denied
chown: cannot access '/certificates/root-ca-manager.key': Permission denied

I would like to install Wazuh on my laptop for testing purposes.

Thanks in advance

[khainq515383]

Ah yes I just got the issue after trying to deploy a single node wazuh

java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/share/wazuh-indexer/certs/root-ca.pem" "read")

couple of researchs that point out this java.io.FilePermission is from a security manager plugin used by opensearch and by design its drop privileges for security reason, even if ur manually copy the cert from OS into the container. Because it checks file permissions inside the JVM sandbox, not at the OS level.

--> solution imma try to make wazuh indexer to disable this opensearch plugin (not recommended)

[infosec-shinobi]

@fannyhasbi I struggled to get the cert generator to work for a bit as well.

This docker-compose file finally worked for me: https://github.com/infosec-shinobi/homelab_cdr/blob/main/nimbus_cloud/docker-compose-wazuh-certs.yml

Note, I had some issues if files already existed in ./config/wazuh/certs/ directory... So make sure you nuke everything before running it. Also had to do docker compose -f docker-compose-wazuh-certs.yml --force-recreate wazuh-cert-generator to make sure the container started fresh with no context from previous runs.

@khainq515383 , spent a few hours across multiple days trying to troubleshoot that exact error... For me, I was trying to deploy image tag 4.14.0. In 4.14.0 and newer, you need to move the certs to /usr/share/wazuh-indexer/config/certs/. What was tripping me up is that I updated my mount points but couldn't understand why I kept getting the wrong location being attempted in the logs... Totally forgot that you also have certificate paths set in your wazuh.indexer.yml file... Specifically these:

plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem

Those need to be in alignment with your mounted certs... Serves me right for not having a rubber ducky on my desk to talk this out with...

Hope this helps you!

[khainq515383]

@fannyhasbi I struggled to get the cert generator to work for a bit as well.

This docker-compose file finally worked for me: https://github.com/infosec-shinobi/homelab_cdr/blob/main/nimbus_cloud/docker-compose-wazuh-certs.yml

Note, I had some issues if files already existed in ./config/wazuh/certs/ directory... So make sure you nuke everything before running it. Also had to do docker compose -f docker-compose-wazuh-certs.yml --force-recreate wazuh-cert-generator to make sure the container started fresh with no context from previous runs.

@khainq515383 , spent a few hours across multiple days trying to troubleshoot that exact error... For me, I was trying to deploy image tag 4.14.0. In 4.14.0 and newer, you need to move the certs to /usr/share/wazuh-indexer/config/certs/. What was tripping me up is that I updated my mount points but couldn't understand why I kept getting the wrong location being attempted in the logs... Totally forgot that you also have certificate paths set in your wazuh.indexer.yml file... Specifically these:

plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
Those need to be in alignment with your mounted certs... Serves me right for not having a rubber ducky on my desk to talk this out with...

Hope this helps you!

thanks for the helpful information i will check it for later. I just got another problems from my very own solution but I'll keep u posted