ArcGIS Enterprise Patch Notification: Connect to proxy server failed.

Any idea if this is still the case?

Loading the Root CA into portal wasn't sufficient for me. I had to manually load it into the java environment that the patchnotification tool was using, a bit concerned about whether this is documented and supported.
<ArcGISInstall>\framework\runtime\jre\lib\security\cacerts

(Patchnotification tool unable to connect to proxy ... - Esri Community)

Hi @ar_tw,

I will try to summarize my current knowledge and experience on this topic:

The ArcGIS Enterprise Patch Notification tool is available at several places, depending on what you have installed:

• For Portal for ArcGIS at C:\Program Files\ArcGIS\Portal\tools\patchnotification.
• For ArcGIS Server at C:\Program Files\ArcGIS\Server\tools\patchnotification.
• For ArcGIS DataStore at C:\Program Files\ArcGIS\DataStore\tools\patchnotification.

Each of them has its own certificate store in the \framework\runtime\jre\lib\security\cacerts at the corresponding directory.

The normal case is/should be that when adding a certificate (e.g. Root CA) under the Portal Administrator Directory (under /security/sslCertificates) or the ArcGIS Server Administrator Directory (under /machines/<MACHINE>/sslcertificates) it should be also added to this internal cacerts store.

For the cacerts in the ArcGIS DataStore there isn't such a synchronization and you must add all additional needed certificates manually.

This was still the case in our setup so far ... but after one of the last installed patches, our internal cacerts from the Portal for ArcGIS was "resettet" to the default and all manually added certificates so far was missing.

So I also had to add the missing certificates manually in this internal cacerts store to get the Patch Notification tool running.

Fantastic information @dstrigl !
Adding a few additional nuggets of information for others out there running into this situation.

For our organization, this used to work just fine... assuming that is because by default it would request the patches URL over HTTP port 80.  And at 10.9, it was updated to request the patches information over HTTPS port 443.  See https://support.esri.com/en-us/bug/the-check-for-arcgis-enterprise-updates-utility-uses-po-bug-00012...

Patches check URL - https://content.esri.com/patch_notification/patches.json

Our organization has an SSL intercept appliance in place to capture all outbound internet traffic and as a result, it presents a private/corporate SSL certificate which is not trusted by default (for HTTPS/443 requests).  We do add this to the back-end portal/server/datastore admin REST API location, but it is not automatically updating the cacerts file that this utility uses.  

For ArcGIS Server, 

To check to see if the cert exists in the keystore, run this from a cmd.exe:

C:\Program Files\ArcGIS\Server\framework\runtime\jre\bin>keytool -list -v -keystore "C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security\cacerts"

To add the root CA certificate... export it in X.509 format with PEM (base-64 encoding).  Supposedly a DER/Binary encoding would work as well (but we used the base-64 encoding).  

Then, import that by running this in cmd.exe:

C:\Program Files\ArcGIS\Server\framework\runtime\jre\bin>keytool -importcert -file "C:\tmp\myrootcert.cer" -alias PrivateRootCA -keystore "C:\Program Files\ArcGIS\Server\framework\runtime\jre\lib\security\cacerts" 

The keytool will prompt you for the password which is the default for a cacerts file.  see this if you do not know the default password - https://docs.oracle.com/javase/9/tools/keytool.htm

Once we imported the private/corporate root CA, the utility started working.  Thanks everyone!