diff --git a/lib/puppetserver/ca/utils/file_system.rb b/lib/puppetserver/ca/utils/file_system.rb
index c8282da..0873dd1 100644
--- a/lib/puppetserver/ca/utils/file_system.rb
+++ b/lib/puppetserver/ca/utils/file_system.rb
@@ -60,7 +60,11 @@ def self.forcibly_symlink(source, link_target)
           # Symlink permissions are ignored in favor of the source's permissions,
           # so we don't have to change those.
           source_info = File.stat(source)
-          FileUtils.chown(source_info.uid, source_info.gid, link_target)
+          begin
+            FileUtils.chown(source_info.uid, source_info.gid, link_target)
+          rescue Errno::EPERM # rubocop:disable Lint/SuppressedException
+            # In rootless containers the process may lack CAP_CHOWN.
+          end
         end
 
         def initialize
@@ -93,14 +97,22 @@ def write_file(path, one_or_more_objects, mode)
               f.puts object.to_s
             end
           end
-          FileUtils.chown(@user, @group, path)
+          begin
+            FileUtils.chown(@user, @group, path)
+          rescue Errno::EPERM # rubocop:disable Lint/SuppressedException
+            # In rootless containers the process may lack CAP_CHOWN.
+          end
         end
 
         # Warning: directory mode should be specified in DIR_MODES above
         def ensure_dir(directory)
           if !File.exist?(directory)
             FileUtils.mkdir_p(directory, mode: DIR_MODES[directory])
-            FileUtils.chown(@user, @group, directory)
+            begin
+              FileUtils.chown(@user, @group, directory)
+            rescue Errno::EPERM # rubocop:disable Lint/SuppressedException
+              # In rootless containers the process may lack CAP_CHOWN.
+            end
           end
         end
       end