acme: simplify TLS-SNI challenge cert

There's no need to PEM-encode key/cert pair to create a tls.Certificate.

All tls.X509KeyPair does is decode back to DER and verify that the
key corresponds to the cert. But we already know it does.

Change-Id: Icccdaf7fd86317147476fb03cbc71ee7b4a06edb
Reviewed-on: https://go-review.googlesource.com/26694
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

acme/internal/acme/acme.go

@@ -615,12 +615,10 @@ func tlsChallengeCert(san ...string) (tls.Certificate, error) {
 		DNSNames:              san,
 	}
 	der, err := x509.CreateCertificate(rand.Reader, &t, &t, &key.PublicKey, key)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	cert := encodePEM("CERTIFICATE", der)
-	keyp := encodePEM("RSA PRIVATE KEY", x509.MarshalPKCS1PrivateKey(key))
-	return tls.X509KeyPair(cert, keyp)
+	return tls.Certificate{
+		Certificate: [][]byte{der},
+		PrivateKey:  key,
+	}, nil
 }
 
 // encodePEM returns b encoded as PEM with block of type typ.