I think the reason you end up with only one domain in the certificate would be that the Media Temple AccountCenter’s CSR generation tool is (probably) only asking you for one domain at a time, and only putting that single domain into the generated CSR. When you then provide that certificate to gethttpsforfree.com, you end up with a certificate that only covers that one name.
There are probably a lot of alternatives – assuming that Media Temple is willing to accept the certificate covering both names once you get it. Which alternative is best probably depends on your patience and expertise.
One option would be to ask Media Temple to change the CSR generation tool to create CSRs that cover both the www and non-www forms (assuming my diagnosis is right). Other options include using other tools instead of gethttpsforfree.com, of which there are several – whether web-based like gethttpsforfree.com, or command-line software that you could run over ssh in your Media Temple account, or perhaps locally on your own computer.
A difficulty to keep in mind is that the Let’s Encrypt certificates will expire every 90 days, so whatever solution you come up with will have to be repeated at least that often in order to avoid ending up with an expired certificate and a broken site. That’s a big reason that we’ve encouraged hosting providers to integrate Let’s Encrypt in a more automated fashion so that the hosting provider can automatically renew the certificate on the user’s behalf, without requiring a manual action. You might also want to consider whether you’re willing to repeat whatever solution we come up with every 2-3 months indefinitely.