Output from flyctl:
The certificate for *.righthandgreen.com has not been issued yet.
Hostname = *.righthandgreen.com
DNS Provider = googledomains
Certificate Authority = Let's Encrypt
Issued =
Added to App = 5 hours ago
Source = fly
You are creating a wildcard certificate for *.righthandgreen.com
We are using lets_encrypt for this certificate.
What should I do to help this get unstuck? Thanks. 
It looks like there’s no _acme-challenge DNS entry for that domain:
We need that to issue the cert. You should be able to see specific instructions for setting it up through our UI.
Huh. Earlier it was giving me validation instructions (AAAA or acme challenge CNAME), and those went away when I added the AAAA record, so I assumed I was done.
I also did create the acme challenge CNAME, but like an idiot, I copy/pasted the entire thing, so I ended up with a CNAME record for _acme-challenge.righthandgreen.com.righthandgreen.com. I bet this is not an uncommon mistake. If you wanted bonus points, you could accept that silly form, or detect it and tell me (gracefully) about my boneheadedness.
Anyway, all fixed now. Thanks!
Oh yes I’ve done that. We do need to improve our UX for certificate errors. We detect a lot and don’t really expose it well.