Index: head/www/hiawatha/Makefile
===================================================================
--- head/www/hiawatha/Makefile	(revision 493330)
+++ head/www/hiawatha/Makefile	(revision 493331)
@@ -1,71 +1,75 @@
 # Created by: Hugo Leisink
 # $FreeBSD$
 
 PORTNAME=	hiawatha
-PORTVERSION=	10.8.4
+PORTVERSION=	10.9
 CATEGORIES=	www
 MASTER_SITES=	https://www.hiawatha-webserver.org/files/
 
 MAINTAINER=	tobik@FreeBSD.org
 COMMENT=	Advanced and secure webserver for Unix
 
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
-USES=		cmake:insource compiler:c11
+USES=		cmake:insource compiler:c11 shebangfix
 USE_RC_SUBR=	hiawatha
+SHEBANG_FILES=	extra/letsencrypt/lefh.in
 
 CMAKE_ARGS=	-DCMAKE_INSTALL_LOCALSTATEDIR=/var \
 		-DWEBROOT_DIR=${WWWDIR} \
 		-DWORK_DIR=/var/db/${PORTNAME}
 SUB_FILES=	pkg-message
 
-OPTIONS_DEFINE=		CACHE CGIWRAPPER IPV6 LOADCHECK MBEDTLS MONITOR \
+OPTIONS_DEFINE=		CACHE CGIWRAPPER IPV6 LEFH LOADCHECK MBEDTLS MONITOR \
 			RPROXY TOMAHAWK TOOLKIT XSLT
 OPTIONS_DEFAULT=	CACHE CGIWRAPPER MBEDTLS RPROXY TOOLKIT XSLT
 OPTIONS_SUB=		yes
 
 CACHE_DESC=		Caching support
 CGIWRAPPER_DESC=	Install cgi-wrapper(1) (needs setuid bit)
+LEFH_DESC=		Install Let's Encrypt For Hiawatha script
 LOADCHECK_DESC=		Load check support (experimental)
 MONITOR_DESC=		Hiawatha Monitor support
 RPROXY_DESC=		Reverse proxy support
 TOMAHAWK_DESC=		Tomahawk command shell support
 TOOLKIT_DESC=		URL toolkit support
 XSLT_DESC=		XSLT support
 
 CACHE_CMAKE_BOOL=	ENABLE_CACHE
 IPV6_CMAKE_BOOL=	ENABLE_IPV6
+LEFH_IMPLIES=		MBEDTLS
+LEFH_USES=		php:cli
 LOADCHECK_CMAKE_BOOL=	ENABLE_LOADCHECK
 MBEDTLS_CMAKE_BOOL=	ENABLE_TLS USE_SYSTEM_MBEDTLS
 MBEDTLS_LIB_DEPENDS=	libmbedtls.so:security/mbedtls
 MBEDTLS_USES=		localbase:ldflags
 MONITOR_CMAKE_BOOL=	ENABLE_MONITOR
 RPROXY_CMAKE_BOOL=	ENABLE_RPROXY
 TOMAHAWK_CMAKE_BOOL=	ENABLE_TOMAHAWK
 TOOLKIT_CMAKE_BOOL=	ENABLE_TOOLKIT
 XSLT_CMAKE_BOOL=	ENABLE_XSLT
 XSLT_USES=		gnome
 XSLT_USE=		GNOME=libxslt
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|/usr/bin/ssi-cgi|${PREFIX}/bin/ssi-cgi|g' \
 		-e 's|/usr/bin|${LOCALBASE}/bin|g' \
 		${WRKSRC}/config/cgi-wrapper.conf \
 		${WRKSRC}/config/hiawatha.conf.in
 	@${REINPLACE_CMD} -e 's|/usr/sbin|${PREFIX}/sbin|g' \
 		-e 's|/etc/hiawatha|${ETCDIR}|g' \
 		${WRKSRC}/man/hiawatha.1.in \
 		${WRKSRC}/man/cgi-wrapper.1.in
 
 post-install:
 .for f in hiawatha.conf mimetype.conf cgi-wrapper.conf toolkit.conf \
 	error.xslt index.xslt
 	${INSTALL_DATA} ${WRKSRC}/config/${f} \
 		${STAGEDIR}${PREFIX}/etc/hiawatha/${f}.sample
 .endfor
 	@${MKDIR} ${STAGEDIR}${WWWDIR}
 	${INSTALL_DATA} ${WRKSRC}/extra/index.html \
 		${STAGEDIR}${WWWDIR}/index.html.sample
 
 .include <bsd.port.mk>
Index: head/www/hiawatha/distinfo
===================================================================
--- head/www/hiawatha/distinfo	(revision 493330)
+++ head/www/hiawatha/distinfo	(revision 493331)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1550049875
-SHA256 (hiawatha-10.8.4.tar.gz) = 7cb322e9071ad3ee909167c624c6f80b0d2a6630a9d232d52406289d83658b14
-SIZE (hiawatha-10.8.4.tar.gz) = 1095071
+TIMESTAMP = 1550525987
+SHA256 (hiawatha-10.9.tar.gz) = 74dd43812272c3ddbf067b6d4da1773cdeef2ffe71e8f164449fabf8431752b8
+SIZE (hiawatha-10.9.tar.gz) = 1139702
Index: head/www/hiawatha/pkg-help
===================================================================
--- head/www/hiawatha/pkg-help	(revision 493330)
+++ head/www/hiawatha/pkg-help	(revision 493331)
@@ -1,51 +1,56 @@
 CACHE
 Enable caching support.  It is required for the CacheMaxFilesize,
 CacheRProxyExtension, CacheSize settings.  CacheRProxyExtension
 requires that RPROXY is also enabled.  With this option enabled
 Hiawatha can cache the output of CGI applications, which can control
 caching with the X-Hiawatha-Cache and X-Hiawatha-Cache-Remove
 headers.
 
 CGIWRAPPER
 Install cgi-wrapper(1), which can be used to run certain CGI programs
 with a different user than the webserver's user.  To function
 properly, the CGI wrapper binary needs to have the setuid bit set.
 
+LEFH
+Install the 'lefh' (Let's Encrypt For Hiawatha) tool to help in
+obtaining and maintaining Let's Encrypt certificates.  It needs PHP
+and also implies having MBEDTLS enabled.
+
 LOADCHECK
 Enable experimental support for MaxServerLoad.  When the host has
 a load higher than that value, Hiawatha will drop incoming connections.
 Officially this feature is only available on Linux.  FreeBSD support
 is largely untested.
 
 MBEDTLS
 Enable TLS support via security/mbedtls.  It is required for the
 MinTLSversion, PublicKeyPins, RequiredCA, RequireTLS, and TLScertFile
 settings.
 
 MONITOR
 Enable Hiawatha Monitor support.  The MonitorServer setting enables
 logging of statistical information to a remote monitor server running
 www/hiawatha-monitor.  CGI scripts can log additional events via
 the X-Hiawatha-Monitor header.
 
 RPROXY
 Enable reverse proxy support.  It is required for the CacheRProxyExtension,
 CustomHeaderBackend, and ReverseProxy settings.  CacheRProxyExtension
 requires that CACHE is also enabled.  ReverseProxy can be used to
 forward requests with URLs that match POSIX regular expressions to
 other webserver
 
 TOMAHAWK
 Enable support for the Tomahawk command shell.  It is exposed via
 a Telnet service and can be used to view server statistics, to
 ban/unban clients, to clear the cache, etc.
 
 TOOLKIT
 Enable URL toolkit support, a DSL to do URL transformations.  It
 is required for the UseToolkit settings and UrlToolkit directives.
  
 XSLT
 With this option enabled, Hiawatha can do XSL transformation via
 textproc/libxslt when an XML file is requested and an XSLT sheet
 is present.  It is required for the ErrorXSLTfile, UseXSLT settings,
 and XSLT support in ShowIndex.
Index: head/www/hiawatha/pkg-plist
===================================================================
--- head/www/hiawatha/pkg-plist	(revision 493330)
+++ head/www/hiawatha/pkg-plist	(revision 493331)
@@ -1,17 +1,29 @@
 bin/ssi-cgi
 @sample %%ETCDIR%%/cgi-wrapper.conf.sample
 @sample %%ETCDIR%%/error.xslt.sample
 @sample %%ETCDIR%%/hiawatha.conf.sample
 @sample %%ETCDIR%%/index.xslt.sample
 @sample %%ETCDIR%%/mimetype.conf.sample
 @sample %%ETCDIR%%/toolkit.conf.sample
+%%LEFH%%lib/hiawatha/letsencrypt/acmev2.php
+%%LEFH%%lib/hiawatha/letsencrypt/config.php
+%%LEFH%%lib/hiawatha/letsencrypt/hiawatha_config.php
+%%LEFH%%lib/hiawatha/letsencrypt/http.php
+%%LEFH%%lib/hiawatha/letsencrypt/https.php
+%%LEFH%%lib/hiawatha/letsencrypt/letsencrypt.conf
+%%LEFH%%lib/hiawatha/letsencrypt/letsencrypt.php
+%%LEFH%%lib/hiawatha/letsencrypt/logfile.php
+%%LEFH%%lib/hiawatha/letsencrypt/openssl.conf
+%%LEFH%%lib/hiawatha/letsencrypt/rsa.php
 %%CGIWRAPPER%%man/man1/cgi-wrapper.1.gz
 man/man1/hiawatha.1.gz
+%%LEFH%%man/man1/lefh.1.gz
 man/man1/ssi-cgi.1.gz
 man/man1/wigwam.1.gz
 %%CGIWRAPPER%%sbin/cgi-wrapper
 sbin/hiawatha
+%%LEFH%%sbin/lefh
 sbin/wigwam
 @sample %%WWWDIR%%/index.html.sample
 @dir /var/log/hiawatha
 @dir /var/db/hiawatha