The error message
org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/elastic-certificates.p12]]; nested: AccessDeniedException[/etc/elasticsearch/elastic-certificates.p12];
means the elasticsearch process has no permission to read the certificate file /etc/elasticsearch/elastic-certificates.p12. If the directory /etc/elasticsearch/ is indeed where the elasticsearch.yml file lives, you just need to change the file permission of the certificate file. Specifically you need to ensure the two have the same permissions. Since you cp the certificate file manually into the directory, I assume you did it with either your own user or a root user. Both would result in a different set of file permissions to be set for the certificate file.
To fix the issue, first check the permission of the elasticsearch.yml file with ls -l /etc/elasticsearch/elasticsearch.yml. You should see something like the following:
-rw-r--r-- 1 elasticsearch elasticsearch ...... elasticsearch.yml`
Note the user and group values from the above output (they both are elasticsearch). You can then fix the permission of the certificate with the chown command, e.g.:
sudo chown elasticsearch: /etc/elasticsearch/elastic-certificates.p12