diff --git a/net/acme-acmesh/Makefile b/net/acme-acmesh/Makefile
index a5ffe76a5..553d8ddf5 100644
--- a/net/acme-acmesh/Makefile
+++ b/net/acme-acmesh/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-acmesh
 PKG_VERSION:=3.0.1
-PKG_RELEASE:=10
+PKG_RELEASE:=11
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/acmesh-official/acme.sh/tar.gz/$(PKG_VERSION)?
diff --git a/net/acme-acmesh/files/hook.sh b/net/acme-acmesh/files/hook.sh
index 03343dacb..477003e3f 100644
--- a/net/acme-acmesh/files/hook.sh
+++ b/net/acme-acmesh/files/hook.sh
@@ -2,8 +2,6 @@
 set -u
 ACME=/usr/lib/acme/client/acme.sh
 LOG_TAG=acme-acmesh
-# webroot option deprecated, use the exported value directly in the next major version
-WEBROOT=${webroot:-$CHALLENGE_DIR}
 NOTIFY=/usr/lib/acme/notify
 
 # shellcheck source=net/acme/files/functions.sh
@@ -13,30 +11,32 @@ NOTIFY=/usr/lib/acme/notify
 export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 export NO_TIMESTAMP=1
 
-link_certs()
-{
-    local main_domain
-    local domain_dir
-    domain_dir="$1"
-    main_domain="$2"
+link_certs() {
+	local main_domain
+	local domain_dir
+	domain_dir="$1"
+	main_domain="$2"
 
-    (umask 077; cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" > "$domain_dir/combined.cer")
+	(
+		umask 077
+		cat "$domain_dir/fullchain.cer" "$domain_dir/$main_domain.key" >"$domain_dir/combined.cer"
+	)
 
-    if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then
+	if [ ! -e "$CERT_DIR/$main_domain.crt" ]; then
 		ln -s "$domain_dir/$main_domain.cer" "$CERT_DIR/$main_domain.crt"
-    fi
-    if [ ! -e "$CERT_DIR/$main_domain.key" ]; then
+	fi
+	if [ ! -e "$CERT_DIR/$main_domain.key" ]; then
 		ln -s "$domain_dir/$main_domain.key" "$CERT_DIR/$main_domain.key"
-    fi
-    if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then
+	fi
+	if [ ! -e "$CERT_DIR/$main_domain.fullchain.crt" ]; then
 		ln -s "$domain_dir/fullchain.cer" "$CERT_DIR/$main_domain.fullchain.crt"
-    fi
-    if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then
+	fi
+	if [ ! -e "$CERT_DIR/$main_domain.combined.crt" ]; then
 		ln -s "$domain_dir/combined.cer" "$CERT_DIR/$main_domain.combined.crt"
-    fi
-    if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then
+	fi
+	if [ ! -e "$CERT_DIR/$main_domain.chain.crt" ]; then
 		ln -s "$domain_dir/ca.cer" "$CERT_DIR/$main_domain.chain.crt"
-    fi
+	fi
 }
 
 case $1 in
@@ -44,12 +44,14 @@ get)
 	set --
 	[ "$debug" = 1 ] && set -- "$@" --debug
 
-	case $keylength in
-	ec-*)
+	case $key_type in
+	ec*)
+		keylength=${key_type/ec/ec-}
 		domain_dir="$state_dir/${main_domain}_ecc"
 		set -- "$@" --ecc
 		;;
-	*)
+	rsa*)
+		keylength=${key_type#rsa}
 		domain_dir="$state_dir/$main_domain"
 		;;
 	esac
@@ -71,7 +73,7 @@ get)
 
 			case $status in
 			0)
-                                link_certs "$domain_dir" "$main_domain"
+				link_certs "$domain_dir" "$main_domain"
 				$NOTIFY renewed
 				exit
 				;;
@@ -121,8 +123,8 @@ get)
 	elif [ "$standalone" = 1 ]; then
 		set -- "$@" --standalone --listen-v6
 	else
-		mkdir -p "$WEBROOT"
-		set -- "$@" --webroot "$WEBROOT"
+		mkdir -p "$CHALLENGE_DIR"
+		set -- "$@" --webroot "$CHALLENGE_DIR"
 	fi
 
 	set -- "$@" --issue --home "$state_dir"
@@ -137,7 +139,7 @@ get)
 
 	case $status in
 	0)
-                link_certs "$domain_dir" "$main_domain"
+		link_certs "$domain_dir" "$main_domain"
 		$NOTIFY issued
 		;;
 	*)
diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile
index ac92fc564..324b742b6 100644
--- a/net/acme-common/Makefile
+++ b/net/acme-common/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=acme-common
-PKG_VERSION:=1.0.3
+PKG_VERSION:=1.0.4
 
 PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
 PKG_LICENSE:=GPL-3.0-only
diff --git a/net/acme-common/files/acme.init b/net/acme-common/files/acme.init
index a97856496..d4ff51063 100644
--- a/net/acme-common/files/acme.init
+++ b/net/acme-common/files/acme.init
@@ -39,8 +39,17 @@ load_options() {
 	export domains
 	export main_domain
 	main_domain="$(first_arg $domains)"
-	config_get keylength "$section" keylength ec-256
-	export keylength
+	config_get keylength "$section" keylength
+	if [ "$keylength" ]; then
+		log warn "Option \"keylength\" is deprecated, please use key_type (e.g., ec256, rsa2048) instead."
+		case $keylength in
+		ec-*) key_type=${keylength/-/} ;;
+		*) key_type=rsa$keylength ;;
+		esac
+	else
+		config_get key_type "$section" key_type ec256
+	fi
+	export key_type
 	config_get dns "$section" dns
 	export dns
 	config_get acme_server "$section" acme_server
@@ -51,11 +60,10 @@ load_options() {
 	export standalone
 	config_get dns_wait "$section" dns_wait
 	export dns_wait
-
 	config_get webroot "$section" webroot
-	export webroot
 	if [ "$webroot" ]; then
 		log warn "Option \"webroot\" is deprecated, please remove it and change your web server's config so it serves ACME challenge requests from $CHALLENGE_DIR."
+		CHALLENGE_DIR=$webroot
 	fi
 }