at last I also got it to work with insecureSkipVerify: false 
I removed the global (static) entry serversTransport (NOTE: transport singular vs. transports plural - easily missed when you're tired...)
for the one service my-app I added the label (see insecureSkipVerify How to apply this at a service level in docker compose)
- traefik.http.services.my-app-service.loadBalancer.serversTransport=my-host@file
Then I created the dynamic configuration my-host.yml:
http:
serversTransports:
my-host:
insecureSkipVerify: false
serverName: my-host.my-domain.com
rootCAs:
- /etc/certs/myRootCA.crt