What command did you use to generate your certificate? You should see a section that has -d testsite.com -d www.testsite.com and there you can add -d mail.testsite.com to generate a new certificate that has all three names on it.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.testsite.io
Waiting for verification… Challenge failed for domain mail.testsite.io
http-01 challenge for mail.testsite.io
Cleaning up challenges
Some challenges have failed.
Mx record means you will receive email by that domain: so you should also have a record for mail.testsite.io, as sender obviously need to know where that domain is.