diff --git a/ansible/roles/keystone/templates/keystone-startup.sh.j2 b/ansible/roles/keystone/templates/keystone-startup.sh.j2
index f5769b9488..2304df1ab2 100644
--- a/ansible/roles/keystone/templates/keystone-startup.sh.j2
+++ b/ansible/roles/keystone/templates/keystone-startup.sh.j2
@@ -26,8 +26,8 @@ done
 TOKEN_PRIMARY=$(ls -1 ${TOKEN_DIR} | sort -hr | head -n 1)
 # Check it's age in seconds
 TOKEN_AGE=$(($(date +%s) - $(date +%s -r "${TOKEN_DIR}/${TOKEN_PRIMARY}")))
-# Compare if it's older than fernet_token_expiry and run key rotation if needed
-if [ "${TOKEN_AGE}" -gt "{{ fernet_token_expiry }}" ]; then
+# Compare if it's older than fernet_key_rotation_interval and fail if it's stale
+if [ "${TOKEN_AGE}" -gt "{{ fernet_key_rotation_interval }}" ]; then
     echo "ERROR: Primary token ${TOKEN_PRIMARY} is stale."
     exit 1
 fi
diff --git a/releasenotes/notes/bug-1895723-910de90908de260a.yaml b/releasenotes/notes/bug-1895723-910de90908de260a.yaml
new file mode 100644
index 0000000000..959285bf60
--- /dev/null
+++ b/releasenotes/notes/bug-1895723-910de90908de260a.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    An issue has been fixed when ``keystone`` container would be stuck in
+    restart loop with a message that fernet key is stale.
+    `LP#1895723 <https://launchpad.net/bugs/1895723>`__