Day 3 of a persistent error and my hair is now mostly gone. I know the answer must be simple but I can't figure out what's going on. I modified my rancher deployment to use a public cert instead of a private one. The Rancher UI works, kubectl works for both the rancher cluster and mlutiple downstream rke2 clusters. The only thing not working is Harvester provisioning. When Rancher tries to provision machines in Harvester, it fails with:

Error with pre-create check: "Get \"<https://XXXXX.XXX.XXXXXX.com/k8s/clusters/c-m-jjs5qt62/apis/harvesterhci.io/v1beta1/settings/server-version>\": x509: certificate signed by unknown authority"

The procedure for updating the CA on Rancher has you redeploy the fleet agents on downstream clusters using Continuous Delivery. This isn't possible with Harvester since it's not treated in the same way (doesn't appear in the list of clusters). I've tried everything to figure out who's holding on to the old CA data but I can't find it. Any help is much appreciated.