The most common cause of this is Mixed Content. That is, the page itself is loaded over https/encrypted, the cert is valid, but it’s loading some resources unencrypted/over http.
Newer versions of Chrome/Firefox will auto-upgrade these requests, but not all browsers do, or if you have an older version.
If you open up dev console (ctrl+shift+i, or right click → inspect), and then click on the “Console” tab, look for log messages that start with “Mixed content”, and note down the URLs.
You can change them in the source of your website to simply load over https (change http:// to https://), or you can try enabling Automatic HTTPS Rewrites. You can find Automatic HTTP Rewrites under your website in the dashboard, and then SSL/TLS → Edge Certificates → scroll down to Automatic HTTPS Rewrites and enable, or via this Magic Link: https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates
Automatic HTTP Rewrites won’t get everything though.
Https rewrites was already on - but I did have a bunch of old links in there. Manually going through these fixed it. I’ll hunt down the rest with better search replace.
Another thing learned (because I’m sure I’ll run into this again with other older sites)!
