diff --git a/helmchart/single-sign-on/templates/_helpers.tpl b/helmchart/single-sign-on/templates/_helpers.tpl
index 684bb6efe5989487ab759093c7ce4838ea3f888b..7ccf2598ab3cee107c2b76131289c20b6ac8051e 100644
--- a/helmchart/single-sign-on/templates/_helpers.tpl
+++ b/helmchart/single-sign-on/templates/_helpers.tpl
@@ -83,8 +83,6 @@ Create a secret name which can be overridden.
   value: http://{{ .Release.Name }}-hydra-admin:4445
 - name: KRATOS_ADMIN_URL
   value: http://{{ .Release.Name }}-kratos-admin:80
-- name: KRATOS_PUBLIC_URL
-  value: https://{{ .Values.singleSignOnHost }}/api
 - name: PUBLIC_URL
   value: https://{{ .Values.singleSignOnHost }}/login
 - name: DATABASE_URL
diff --git a/helmchart/single-sign-on/templates/deployment-login.yaml b/helmchart/single-sign-on/templates/deployment-login.yaml
index 6926e96c03a6077457debb191f0422620f67cee4..5ee95a02037a6fb971203f1a12d7e89c7c221328 100644
--- a/helmchart/single-sign-on/templates/deployment-login.yaml
+++ b/helmchart/single-sign-on/templates/deployment-login.yaml
@@ -22,6 +22,8 @@ spec:
           imagePullPolicy: {{ .Values.login.image.pullPolicy }}
           env:
             {{ include "flask.env" . | nindent 12 }}
+            - name: KRATOS_PUBLIC_URL
+              value: https://{{ .Values.singleSignOnHost }}/api
           ports:
             - name: login-http
               containerPort: 5000
diff --git a/helmchart/single-sign-on/templates/job-create-admin.yaml b/helmchart/single-sign-on/templates/job-create-admin.yaml
index d1bbf42b34d760929f0e93555a267e9ad21d1ba4..8e1c3d7250c693677736207a94b747a66a60588d 100644
--- a/helmchart/single-sign-on/templates/job-create-admin.yaml
+++ b/helmchart/single-sign-on/templates/job-create-admin.yaml
@@ -27,6 +27,8 @@ spec:
             value: {{ .Values.login.user }}
           - name: SETUP_PASSWORD
             value: {{ .Values.login.password }}
+          - name: KRATOS_PUBLIC_URL
+            value: http://{{ .Release.Name }}-kratos-public:80
         command: ["/bin/bash", "-c"]
         args:
           - flask user create $SETUP_USER;
diff --git a/helmchart/single-sign-on/values.yaml b/helmchart/single-sign-on/values.yaml
index 39d0df90a88c6994e75899f62443ca417b7fb01d..3cba336d64fff2aed852ba6b2373f6547da965c9 100644
--- a/helmchart/single-sign-on/values.yaml
+++ b/helmchart/single-sign-on/values.yaml
@@ -205,7 +205,7 @@ hydra:
 # Install login panel
 login:
   image:
-    << : &IMAGE_DEFAULTS_SSO { tag: "loginpanel", pullPolicy: "Always" }
+    << : &IMAGE_DEFAULTS_SSO { tag: "116-allow-password-change-without-ssl-public-endpoint-in-startup-job", pullPolicy: "Always" }
     repository: "open.greenhost.net:4567/stackspin/single-sign-on/login"
   podAnnotations: {}
   db:
diff --git a/login/kratos.py b/login/kratos.py
index f9940ade303b383e4d4865d33602974fe4ae8fcf..fc502573e2a2fe3ba59f59224baa394c1a363ec6 100644
--- a/login/kratos.py
+++ b/login/kratos.py
@@ -241,6 +241,14 @@ class KratosUser():
             # We override the default Redirect handler with our custom handler to
             # be able to catch the cookies.
             opener = urllib.request.build_opener(RedirectFilter)
+
+            # We rewrite the URL we got. It can be we run this from an enviroment
+            # with different KRATUS_PUBLIC_URL API endpoint then kratos provide
+            # itself. For example in the case running as a job to create an admin
+            # account before TLS is setup/working
+            search = re.match(r'.*(self-service.recovery.flow.*)$', recovery_url)
+            if search:
+                recovery_url = api_url + "/" + search.group(1)
             opener.open(recovery_url)
         # If we do not have a 2xx status, urllib throws an error, as we "stopped"
         # at our redirect, we expect a 3xx status