cluster-import failure "certificate signed by unknown authority" on https://rancher.cattle-system.svc.cluster.local

seen in a few jobs today/yesterday, for instance https://gitlab.com/sylva-projects/sylva-core/-/jobs/7095786190#L397

IDENTIFIER                             STATUS     REASON               MESSAGE
Kustomization/rke2-capo/cluster-import InProgress                      Kustomization generation is 1, but latest observed generation is -1
╰┄╴┬┄┄[Conditions]
   ├┄╴Reconciling                      True       ProgressingWithRetry Detecting drift for revision 0.0.0-git-39139a2a@sha256:4cf9b265ae23fce50557daf2e8dc6b412bbb7aec28b13d607257e871b15971b3 with a timeout of 30s
   ╰┄╴Ready                            False      ReconciliationFailed Cluster/rke2-capo/wc-1331601655-rke2-capo-oci-capi dry-run failed: failed to get API group resources: 
unable to retrieve the complete list of server APIs: 
provisioning.cattle.io/v1: 
Get "https://rancher.cattle-system.svc.cluster.local/k8s/clusters/local/apis/provisioning.cattle.io/v1?timeout=30s": 
tls: failed to verify certificate: x509: 
certificate signed by unknown authority
Edited by Thomas Morin