Well, there is not a communication problem as Matter Server was able to establish a secure session with the device, but the Matter Server essentially says that the device is not a valid Matter device because Matter Server could not find a certificate/chain to “attest” to the device being a valid Matter device.
I really don’t know why Google Home would allow the device to be commissioned on its Matter fabric unless Google Home keeps its own stash of certificates for Nest devices and hasn’t releases these certificates to Matter.
Interessting thought. Recently I heard that the IKEA matter bridge doesn’t share/forward matter devices that are from other brands than IKEA themselves…
I ended up getting around this by using Guide: Bypass matter attestation verifier to get the matter server to skip verifying the certificate. That isn’t ideal but worked for me
This seems more complicated than jailbreaking your phone
But at least something exist and working (at the moment) to don’t be forced cloud connecting your matter device before being able to use is it
In anyway if you prefer ownership and weird things like right to repair or extend you probably skip all matter devices…
I ran into the same issue with the certificate not being found. After much tinkering (with help from Gemini) I was able to link it via the Advanced SSH & Web Terminal and executing this script.
Given that this works by forcing the download of the certificates, I’m curious to know why they are not already being downloaded?
Sharing script to assist others:
# 1. Update with your FRESH 11-digit code from Google Home
# Pull a code from the Home app in thermostat settings > device information > Linked Matter apps > Link app > Use pairing
CODE="30573044457"
echo "--- Phase 1: Injecting Missing Google Roots ---"
# We use Python to download the missing Dev & Prod roots directly into the server
docker exec addon_core_matter_server python3 -c "
import urllib.request, os
# Ensure the credentials directory exists
os.makedirs('/data/credentials', exist_ok=True)
os.chdir('/data/credentials')
# These URLs match the AKID 84:6F... seen in your error logs
urls = [
'https://raw.githubusercontent.com/project-chip/connectedhomeip/master/credentials/development/paa-root-certs/paa-root-cert-test-goog.der',
'https://pki.goog/matter/Google_Matter_Root_CA_2023.crt'
]
print('Downloading certificates...')
for url in urls:
try:
filename = url.split('/')[-1]
urllib.request.urlretrieve(url, filename)
print(f'Successfully saved: {filename}')
except Exception as e:
print(f'Error downloading {url}: {e}')
print('Verifying /data/credentials content:')
print(os.listdir('.'))
"
echo "--- Phase 2: Restarting Server to Load Certificates ---"
echo "This is required for the SDK to index the new files."
docker restart addon_core_matter_server
echo "Waiting 45 seconds for Matter Server to boot..."
sleep 45
echo "--- Phase 3: Executing Force-Pairing ---"
docker exec -it addon_core_matter_server python3 -c "
import asyncio, aiohttp, sys
from matter_server.client import MatterClient
async def main():
setup_code = '$CODE'
url = 'ws://core-matter-server:5580/ws'
print(f'Connecting to Matter Server at {url}...')
try:
async with aiohttp.ClientSession() as session:
async with MatterClient(url, session) as client:
await client.connect()
print('Connected.')
print(f'Sending commission command for {setup_code}...')
print('Flags: network_only=True, allow_attestation_failure=True')
# With the certificate in place, this should now succeed
res = await client.send_command(
'commission_with_code',
code=setup_code,
network_only=True,
)
print(f'\n--- SUCCESS! ---')
print(f'Result: {res}')
print('Your Nest Thermostat should now appear in Home Assistant.')
except Exception as e:
print(f'\nCommissioning Failed: {e}')
if 'Connection refused' in str(e):
print('The server is still starting up. Wait 10 seconds and try running this python block again.')
asyncio.run(main())
"
