SNI-Hole

You've fallen into a SNI hole.

SNI is server name indication. This allows you have multiple different hostnames living on the same shared IP. And if you don't actually indicate a servername to a SNI enabled server, then you get back the default certificate. (This is the "SNI hole" part.)

And OpenSSL will not supply a servername to the TLS server unless you tell it to. Use the -servername parameter for that.

$ echo '' | openssl s_client -showcerts -connect www.unival-logistics.com:443  -servername www.unival-logistics.com 2>/dev/null | grep -Ei 'subject|issuer|return'
subject=/C=US/OU=Domain Control Validated/CN=www.unival-logistics.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
    Verify return code: 20 (unable to get local issuer certificate)

If you leave that out, then you get the default certificate for that host. And here that is a self-signed certificate. (And I don't think it should be there either. Makes no sense to deliver a self-signed cert.)

 $ echo '' | openssl s_client -showcerts -connect www.unival-logistics.com:443  2>/dev/null | grep -Ei 'subject|issuer|return'
 subject=/O=americanfuturegate.com/CN=*.americanfuturegate.com/[email protected]
 issuer=/O=americanfuturegate.com/CN=*.americanfuturegate.com/[email protected]
     Verify return code: 18 (self signed certificate)

Check that installation

Side note: I urge you to disable SSL3. (SSL Labs report here.)