• After upgrading vCenter Server and ESXi hosts to version 9.0, launching web console of any VM from vCenter Server fails with the following error : "Couldn't establish a connection to the VM web console." 
  
• vCenter Server and ESXi hosts are assigned with Custom CA certificates. 
• ESXi certificate is validated to be correctly formatted as per KB : Couldn't establish a connection to the VM web console.
• The envoy logs on the vCenter Server reports the following error indicating a failure to trust the ESXi host's certificate. 
  Log location: /var/log/vmware/envoy/envoy.log
  
  YYYY-MM-DDTHH:MM:SS error envoy[21977] [Originator@6876 sub=connection] Failed to load trusted CA certificates from <inline>
YYYY-MM-DDTHH:MM:SS info envoy[22005] [Originator@6876 sub=connection] [Tags: "ConnectionId":"415342"] remote address:<ESXi Host IP Address where the VM is running>:443,TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end-----BEGIN CERTIFICATE-----
<ESXi Host Machine SSL certificate>
-----END CERTIFICATE-----

• VMware vCenter Server 9.0
• VMware vSphere ESX 9.0

When Custom CA certificates are in use, the Envoy service may fail to correctly load or validate the inline trusted CA chain required to proxy the secure WebSocket connection (WSS) from the browser to the ESXi host. Consequently, the connection is terminated by the proxy before it reaches the VM.

Couldn't establish a connection to the VM web console