Using TLS, the address of the wsdl didn't match what was in the SSL certificate. (the server certificate had the FQDN "friendly name" (host.domain.com), and I was just getting back the "host" name.
Naturally, this was causing problems.
There was lots of guidance about setting the host name using some old vbs script that turned out to be a red-herring for IIS 7, anyway.
The quick & simple solution was to add
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="True" />