Struggling with serversTransports in YML config file

I am trying to tighten the security of my nodeRed instance to use HTTPS & SSO on my internal network. Traefik already protects it from the internet.

I updated NodeRed to use the same cert that Traefik gets from LetsEncrypt and can call the site successfully using this curl command

curl -v --resolve noderedsecuredinternal.my.domain:1882:192.168.1.185 https://noderedsecuredinternal.my.domain:1882/

When I direct traefik to call this service - it uses the IP address and fails with no IP SANS. I think I have to use the serversTransports option in my settings file, but I don't see how the relationship between the service and the serversTransports option should be made.

The documentation has far too many instance of the word foobar !

Here is my noderedsecured.yml file:

http:
  # Add the router
  routers:
    noderedsecured:
      entryPoints:
      - websecure
      service: noderedsecured
      rule: Host(`noderedsecured.my.domain`)
      tls:
        certResolver: leresolver
        domains:
        - main: my.domain
          sans:
          - "*.my.domain"


  serversTransports:
    mytransport:
      serverName: noderedsecured.my.domain

  # Add the service
  services:
    noderedsecured:
      loadBalancer:
        servers: 
        - url: https://192.168.1.185:1882 
        serversTransport: mytransport
        passHostHeader: true 

On starting this, I can see no evidence that the serversTransports stanza is used - there are no matches in the Traefik log with debug enabled. The Traefik 2.4 Services Dashboard does not show it either.

Calling the website https://noderedsecured.my.domain/ results in Internal Server Error

The log shows

traefik                 | time="2021-02-16T11:01:40+01:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Te\":[\"trailers\"],\"Uber-Trace-Id\":[\"61f6eebec51c3239:017dd20ea86289dd:61f6eebec51c3239:1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\"],\"X-Forwarded-Host\":[\"noderedsecured.my.domain\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"d5b140edb228\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"noderedsecured.my.domain\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:63763\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="https://192.168.1.185:1882"
traefik                 | time="2021-02-16T11:01:40+01:00" level=debug msg="'500 Internal Server Error' caused by: x509: certificate signed by unknown authority"

I was getting no IP SANS but the latest error us now x509: certificate signed by unknown authority. Is this progressing or regressing?

Are there additional debugging or tracing steps that will help me progress this issue?

Steve