diff --git a/playbooks/tasks/sync-ssh-hostkeys.yml b/playbooks/tasks/sync-ssh-hostkeys.yml
index c43c6f1d33cd08726ba20c712f27d04bf1c9e79e..01f5986131e4a1095182d27e24be26f8af3a9fe0 100644
--- a/playbooks/tasks/sync-ssh-hostkeys.yml
+++ b/playbooks/tasks/sync-ssh-hostkeys.yml
@@ -8,7 +8,7 @@
         register: ssh_hostkeys
         changed_when: ssh_hostkeys | length > 0
       - name: fetch known_hosts
-        shell: "set -o pipefail && ssh-keyscan 127.0.0.1 2>/dev/null | sed 's#^127.0.0.1#{{ inventory_hostname }}#'"
+        shell: "set -o pipefail && ssh-keyscan 127.0.0.1 2>/dev/null | sed 's#^127.0.0.1#{{ inventory_hostname }}#' | sort"
         args:
           executable: /bin/bash # required for repro3.pkgbuild.com which is ubuntu and has dash as default shell
         register: known_hosts