After working at this for a while, I found a solution.
If you deployed Rancher using Helm, there is this option:
# Additional Trusted CAs.
# Enable this flag and add your CA certs as a secret named tls-ca-additional in the namespace.
# See README.md for details.
additionalTrustedCAs: false
In the cluster where Rancher is installed, create a secret in the cattle-system
namespace as follows:
name: tls-ca-additional
key: ca-additional.pem
value: [concatenated pem of root and intermediate CAs]
Then set the additionalTrustedCAs to true, and upgrade your Rancher helm chart.
What it does, is mounts the secret at /etc/ssl/certs/ca-additional.pem
, and now Rancher is able to fetch catalogs through SSL interception.