diff --git a/ansible/roles/host_ocp4_assisted_scale/defaults/main.yml b/ansible/roles/host_ocp4_assisted_scale/defaults/main.yml
index 6eb961b..83b120c 100644
--- a/ansible/roles/host_ocp4_assisted_scale/defaults/main.yml
+++ b/ansible/roles/host_ocp4_assisted_scale/defaults/main.yml
@@ -19,6 +19,6 @@ ai_configure_hosts: []
 # When true, remove worker role from control-plane nodes and mark masters non-schedulable
 worker_only: false
 
-# CSR approval retry settings
-approve_csr_retries: 90
+# CSR approval retry settings — must cover install + reboot + kubelet startup
+approve_csr_retries: 180
 approve_csr_delay: 10
diff --git a/ansible/roles/host_ocp4_assisted_scale/tasks/main.yaml b/ansible/roles/host_ocp4_assisted_scale/tasks/main.yaml
index d716cfb..0d321c5 100644
--- a/ansible/roles/host_ocp4_assisted_scale/tasks/main.yaml
+++ b/ansible/roles/host_ocp4_assisted_scale/tasks/main.yaml
@@ -175,6 +175,25 @@
     loop_control:
       loop_var: _index
 
+# Approve CSRs BEFORE wait_for_hosts to avoid deadlock.
+# The machine-approver rejects CSRs for assisted-installer workers
+# (no Machine API objects), so we must approve them manually.
+# Workers install OCP, reboot, then generate CSRs — approving them
+# here lets nodes join the cluster so the AI can mark hosts ready.
+- name: Initialize CSR approval iteration counter
+  ansible.builtin.set_fact:
+    approve_csr_iteration: 1
+
+- name: Approve CSR
+  ansible.builtin.include_tasks: approve_csr_nodes.yaml
+
+- name: Wait for the hosts to be ready
+  module_defaults:
+    group/k8s:
+      host: "{{ sandbox_openshift_api_url }}"
+      api_key: "{{ sandbox_openshift_api_key }}"
+      validate_certs: false
+  block:
   - name: Wait for the hosts to be ready
     rhpds.assisted_installer.wait_for_hosts:
       cluster_id: "{{ r_import_cluster.result.id }}"
@@ -184,13 +203,6 @@
       configure_hosts: "{{ ai_configure_hosts }}"
       wait_timeout: 600
 
-- name: Initialize CSR approval iteration counter
-  ansible.builtin.set_fact:
-    approve_csr_iteration: 1
-
-- name: Approve CSR
-  ansible.builtin.include_tasks: approve_csr_nodes.yaml
-
 - name: Configure worker-only mode
   when: worker_only | default(false) | bool
   ansible.builtin.include_tasks: worker_only.yaml